8

I am trying to learn NodeJS and saw these three functions/classes in a tutorial but couldn't understand what they are and when should we use which one?

Do I need to use both passport-local and passport-jwt at the same time or only one of them?

Yogesh Umesh Vaity
  • 41,009
  • 21
  • 145
  • 105
Hasani
  • 3,543
  • 14
  • 65
  • 125

3 Answers3

14

Passport is nodejs 'Connect style middleware' for user authentication. You're most likely to see it as Express middleware. To use passport you need to use passport and a 'strategy' defining what you are using to authenticate against. This could for example be Facebook or Google via oauth, SAML, or simply cookies. So to use Passport you need to require both the passport module itself and the relevant 'strategy' module.

To use a 'strategy' you use the strategy constructor to configure passport. The 'local' example given in the docs is slightly obtuse when you first come across passport, so using the Google example may make it a little easier to understand:

var passport = require('passport'); // passport
var GoogleStrategy = require('passport-google-oauth').OAuth2Strategy; // Youa also need to import the Google 'strategy'

// configure passport to use the Google strategy by passing the GoogleStrategy constructor to passport.use()
passport.use(new GoogleStrategy({
    clientID: GOOGLE_CLIENT_ID,
    clientSecret: GOOGLE_CLIENT_SECRET,
    callbackURL: "http://www.example.com/auth/google/callback"
  },
  function(accessToken, refreshToken, profile, done) {
       User.findOrCreate({ googleId: profile.id }, function (err, user) {
         return done(err, user);
       });
  }
));

// now you can use passport.authenticate() with the google strategy
app.get('/auth/google',
  passport.authenticate('google', { scope: ['https://www.googleapis.com/auth/plus.login'] }));

// GET /auth/google/callback which Google send your user to after they authenticate using Oauth
app.get('/auth/google/callback', 
  passport.authenticate('google', { failureRedirect: '/login' }),
  function(req, res) {
    res.redirect('/');
  });

passport-local is the strategy you would use if you are authenticating against a username and password stored 'locally' i.e. in the database of your app - 'local' means local to your application server, not local to the end user.

passport-jwt is the strategy for using JSON Web Tokens.

Hugh
  • 371
  • 1
  • 8
  • Where should we use which of them? – Hasani Jul 21 '20 at 11:59
  • 2
    You would use `passport` if you want a system for logging users in securely to a web app running on nodejs - usually that is likely to be an [express](https://expressjs.com) app. You always need `passport` **plus** _one_ of the others, depending on how you want to authenticate your users and whether you want to store their credentials. As @divyani says in the other answer, JWT would usually be for an API endpoint – Hugh Jul 21 '20 at 23:11
9

passport Passport is authentication middleware for Node.js.Passport uses the concept of strategies to authenticate requests. Strategies can range from verifying username and password credentials, delegated authentication using OAuth (for example, via Facebook or Twitter), or federated authentication using OpenID.

passport-local The local authentication strategy authenticates users using a username and password. The strategy requires a verify callback, which accepts these credentials and calls done providing a user.

passport-jwt This module lets you authenticate endpoints using a JSON web token. It is intended to be used to secure RESTful endpoints without sessions.

Divyani Singh
  • 491
  • 8
  • 16
  • Where should we use which of them? – Hasani Jul 21 '20 at 12:00
  • 4
    So passport-jwt can be used for secure RESTful endpoints without sessions and passport-local can be used to authenticate using a username and password in any Node.js applications. – Divyani Singh Jul 21 '20 at 17:02
  • 2
    passport-jwt: var opts = {} opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken(); opts.secretOrKey = 'secret'; opts.issuer = 'accounts.examplesoft.com'; opts.audience = 'yoursite.net'; passport.use(new JwtStrategy(opts, function(jwt_payload, done) { User.findOne({id: jwt_payload.sub}, function(err, user) { if (err) { return done(err, false); } if (user) { return done(null, user); } else { return done(null, false); // or you could create a new account } }); })); – Divyani Singh Jul 21 '20 at 17:02
  • 2
    passport-local: passport.use(new LocalStrategy( function(username, password, done) { User.findOne({ username: username }, function (err, user) { if (err) { return done(err); } if (!user) { return done(null, false); } if (!user.verifyPassword(password)) { return done(null, false); } return done(null, user); }); } )); – Divyani Singh Jul 21 '20 at 17:03
0

It can be understood that passport is a basic package

  • passport local uses local storage authentication. After successful login, use session and cookie to maintain login status
  • passport jwt usesjwtauthentication, which is applicable to theapiinterface, and uses token Authorization and other request headers to maintain login status
puz_zle
  • 459
  • 5
  • 7