0

I'm creating a back-end in NodeJS that will register a user with a hashed password to save in our database. I'm using bcrypt to hash the password and then bcrypt's compareSync when a user want to sign in with the created password.

I don't really see a point using Passport Local-strategy for this case since the only thing I'm doing in the local middleware is to use bcrypt's compareSync to see if the passwords are the same or not, which I can easily do in my own middleware and write that middleware to include the stuff I want.

The Passport middleware-code I'm using right now is:

passport.use(new passportLocal(function (username, password, done) {
  r.table('user').filter({username: username}).limit(1).run()
    .then(function (doc) {
       if (doc._data && doc._data.length === 1) {
         var data = doc._data[0][0];
         if (data.password) {
           if (bcrypt.compareSync(password, data.password)) {
             done(null, data);
           } else {
             done(null, false, {message: 'Invalid username or password'})
           }
         } else {
           done(null, false, {message: 'The user does not exist'});
         }
       } else {
         done(null, false, {message: 'Invalid username or password'})
       }
   })
  .catch(function (err) {
    console.error(2222, err);
    done(err);
  });
}));

So the question is if I'm missing out on some security stuff that I will get with Passport instead of creating my own middleware that checks password with bcrypt?

Philip Kirkbride
  • 21,381
  • 38
  • 125
  • 225
jwanglof
  • 548
  • 1
  • 5
  • 20
  • Ouch. That callback pyramid... :S – Dan Jul 15 '15 at 08:16
  • Passport is just convenience, it doesn't necessarily add extra security. So if you implement your middleware in a proper way, you're not missing out on anything. – robertklep Jul 15 '15 at 08:21
  • 1
    The 'security' part of your local strategy is your bcrypt. Passport doesn't give you any security at all. However, by *not* using passport you lock yourself out of using a convenient pattern (`passport.authenticate()`) or expanding to use other authentication providers without a significant refactor. And, honestly, I think the issue you have with your code could be solved by proper separation of concerns and is nothing to do with passport. – Dan Jul 15 '15 at 08:25
  • Thanks @robertklep =) – jwanglof Jul 16 '15 at 07:40
  • @DanPantry Can you elaborate what separation I should do? – jwanglof Jul 16 '15 at 07:41

1 Answers1

0

Simply put Passport.Js makes it easy to integrate 3rd party logins. You should use it if there is any chance that you may want to add one of these services in the future.

If you don't plan to use any 3rd party login services there may still be the benefit of familiarizing yourself with a library which has essentially become industry standard for authentication, as far as node.js is concerned.

That said there is no reason you can't provide the equivalent services with your own custom authentication script.

Philip Kirkbride
  • 21,381
  • 38
  • 125
  • 225