- 81
- 1 676 723
Code Realm
Canada
Приєднався 27 лис 2017
JavaScript, TypeScript, NodeJS, React, MongoDB, you name it.
Authentication in Node.js - #9 Session Timeout
To secure sessions against impersonation, it's important to impose expiration timeouts. One of them is inactivity or idle timeout whereby if the user remains idle for a given time period, their session auto-expires. If they remain active however, their session expiry rolls over on each request.
While useful for most websites for keeping users signed in, this has an interesting implication. If the user continues to ping the server periodically, they can prolong their session indefinitely. If you'd like to read more, I first reported this behavior in express-session repo github.com/expressjs/session/issues/624 To circumvent this issue, we need to impose an absolute timeout.
With the absolute timeout, the session expires after a fixed period of time regardless of whether the user is still active or not. While it may hinder user experience, absolute timeout is nonetheless recommended by OWASP to minimize the risk of session hijacking github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#absolute-timeout
In express-session, there is a pending PR to implement max duration on sessions github.com/expressjs/session/pull/595 It's been open since mid 2018 however, so it probably won't be soon until it's merged. In the meantime, we can implement a fairly straightforward home-grown solution by simply keeping track of the session creation date. We'll explore this approach in detail in this video.
GitHub repo github.com/alex996/node-auth
While useful for most websites for keeping users signed in, this has an interesting implication. If the user continues to ping the server periodically, they can prolong their session indefinitely. If you'd like to read more, I first reported this behavior in express-session repo github.com/expressjs/session/issues/624 To circumvent this issue, we need to impose an absolute timeout.
With the absolute timeout, the session expires after a fixed period of time regardless of whether the user is still active or not. While it may hinder user experience, absolute timeout is nonetheless recommended by OWASP to minimize the risk of session hijacking github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#absolute-timeout
In express-session, there is a pending PR to implement max duration on sessions github.com/expressjs/session/pull/595 It's been open since mid 2018 however, so it probably won't be soon until it's merged. In the meantime, we can implement a fairly straightforward home-grown solution by simply keeping track of the session creation date. We'll explore this approach in detail in this video.
GitHub repo github.com/alex996/node-auth
Переглядів: 14 420
Відео
Authentication in Node.js - #8 Protected Fields in Mongoose
Переглядів 5 тис.4 роки тому
Oftentimes, when building the user's endpoint in a REST API (typically, /me or /home), you'd want to only expose a subset of the fields stored in the database table or collection. Specifically, you'd need to hide sensitive fields including the password hash, as well as meta data such as the version key, from the server response. In Mongoose, there are several ways to achieve that. First, you co...
Authentication in Node.js - #7 Login & Logout
Переглядів 36 тис.4 роки тому
In this video, we are going to implement login and logout functionality in our app. At a high level, the authentication flow goes like this. When the user signs in, we validate their email address and password, match them with a user in our database, create a session in cache, and issue a session cookie. When the user logs out, we destroy the session and unset the cookie. Both routes should be ...
Authentication in Node.js - #6 Password Security
Переглядів 9 тис.4 роки тому
The NPM ecosystem offers two popular implementations of the bcrypt hashing algorithm, bcrypt and bcryptjs. bcryptjs is written in pure JavaScript and has zero dependencies, whereas bcrypt is written in C and requires node-gyp, Python 2, and GCC compiler. bcrypt does offer some pre-compiled binaries, but in many instances, you'd need to build it manually for your particular architecture and OS. ...
Password Hashing and Storage
Переглядів 4,6 тис.4 роки тому
In this video, we're going to explore the theory behind password hashing and password storage. We'll start off with a rundown of cryptography, including hashing and encryption for security, as well as encoding, such as base64 and hex, for transport. We will then go through the typical password verification flow and discover several hashing algorithms used for passwords, including bcrypt. As you...
Authentication in Node.js - #5 Error Handling
Переглядів 9 тис.4 роки тому
Following up on our previous video about registration, we are going to implement proper error handling in this episode. Currently, any unhandled promise rejection such as the case with validation, causes the response to time out. This is because in Express, any exception thrown in an asynchronous route handler needs to be passed to next() explicitly. We can ameliorate this with repeated try-cat...
Authentication in Node.js - #4 Registration
Переглядів 13 тис.4 роки тому
In this video, we're going to tackle the first core feature of user authentication, that is registration. When signing up with our app, a user would need to submit some personal data, which we're going to validate with Joi. @hapi/joi is a library for server-side validation with a very expressive and elegant API. We'll also have a bit of custom logic to check for the existence of a user account ...
Authentication in Node.js - #3 Docker Compose for Development
Переглядів 12 тис.4 роки тому
When it comes to provisioning a local dev environment, you have at least 4 choices. One, you can offload all the heavy lifting to a 3rd-party service. For example, you could use Atlas or mLab for MongoDB, and Redis Labs for Redis. Just copy-paste the connection string, and you're ready to go. Otherwise, you could also install mongodb-org and redis-server locally on your machine. This is the mos...
Authentication in Node.js - #2 Connecting to MongoDB & Redis
Переглядів 25 тис.4 роки тому
In this video, we will wire up our application to MongoDB and Redis. We will also configure Express sessions and set up configuration files with environment variables. Be sure to watch the previous video (especially, the latter half) so that you have the requisite project structure in place. The default in-memory store in express-session leaks memory and doesn't scale beyond a single process, a...
Authentication in Node.js - #1 Intro
Переглядів 23 тис.4 роки тому
Welcome back to the channel! In this series, we're going to build a secure authentication system in Node.js featuring email confirmation, password reset, remember me, and more. We'll use Express for routing, MongoDB for data persistence, and Redis for session storage. I'll also be using TypeScript for type-checking and auto-complete, although it's entirely optional, and you can safely follow th...
Build a Modern JS Project - #12 Publish to GitHub Pages & NPM
Переглядів 23 тис.5 років тому
Hey guys, in this final episode we are going to create our very first release, publish the package on NPM, and deploy Storybook to GitHub pages. This is going to be a closing video for the playlist, and we've got quite a few things lined up, so let's get into it! First, we already have a nifty component playground that we can show off to the public. With Storybook, we can build our project into...
Build a Modern JS Project - #11 Travis CI & Coveralls
Переглядів 12 тис.5 років тому
In this video, we'll walk through setting up a build pipeline with Travis CI and collecting coverage reports from our unit tests using Coveralls. Be sure to check out the CI/CD basics video first ua-cam.com/video/hZ0vNZGHUIY/v-deo.html to get on board. Travis CI runs your jobs in phases, including install (to install the dependencies), script (to build the source), and deploy (to optionally dep...
Build a Modern JS Project - #10 Snapshot Tests
Переглядів 3,2 тис.5 років тому
Now that we have a handful of React components, it's about time to test them. Since they are nothing more than pure functions, they are perfect candidates for TDD, but because they were the first ones to get added along with the build process, we can give them a pass this time. In general, it's worthwhile to start with the test case (or story, if tests are integrated in Storybook) first, and mo...
Build a Modern JS Project - #9 Storybook
Переглядів 6 тис.5 років тому
Our project is starting to take shape and is already featuring several runnable examples for both browsers and Node. The library users can now refer to the example code to speed up integration or even run the demos on their own. This serves as both documentation and demo code for the public. However, it does not address the need for a development environment. We can certainly preview our compon...
Build a Modern JS Project - #8 Module Systems
Переглядів 6 тис.5 років тому
In this video, we will explore three bundle formats that our module ships with. These are CommonJS as a fallback for Node.js, ES Modules for SPA or SSR with a modern build setup (Webpack, Parcel, etc.), and UMD for global use in browsers via CDN (as well as backwards compat with legacy AMD and UMD). Each bundle will be referenced through a field in package.json. First, we'll configure our CJS b...
MERN Stack & GraphQL - #15 Query Population
Переглядів 7 тис.5 років тому
MERN Stack & GraphQL - #15 Query Population
MERN Stack & GraphQL - #14 Creating a Chat
Переглядів 7 тис.5 років тому
MERN Stack & GraphQL - #14 Creating a Chat
Build a Modern JS Project - #7 Components & Styling
Переглядів 4,4 тис.5 років тому
Build a Modern JS Project - #7 Components & Styling
Build a Modern JS Project - #6 Babel & React
Переглядів 8 тис.5 років тому
Build a Modern JS Project - #6 Babel & React
MERN Stack & GraphQL - #13 Models & Relationships
Переглядів 4,5 тис.5 років тому
MERN Stack & GraphQL - #13 Models & Relationships
MERN Stack & GraphQL - #12 Session Lifetime
Переглядів 3,1 тис.5 років тому
MERN Stack & GraphQL - #12 Session Lifetime
MERN Stack & GraphQL - #11 Custom Schema Directives
Переглядів 6 тис.5 років тому
MERN Stack & GraphQL - #11 Custom Schema Directives
Build a Modern JS Project - #5 Rollup with CJS, ESM & UMD
Переглядів 24 тис.5 років тому
Build a Modern JS Project - #5 Rollup with CJS, ESM & UMD
Build a Modern JS Project - #4 Pre-commit with Husky & lint-staged
Переглядів 21 тис.5 років тому
Build a Modern JS Project - #4 Pre-commit with Husky & lint-staged
Build a Modern JS Project - #3 ESLint, Prettier & EditorConfig
Переглядів 13 тис.5 років тому
Build a Modern JS Project - #3 ESLint, Prettier & EditorConfig
Build a Modern JS Project - #2 What is a Build Process? (CI/CD)
Переглядів 8 тис.5 років тому
Build a Modern JS Project - #2 What is a Build Process? (CI/CD)
Build a Modern JS Project - #1 Intro
Переглядів 29 тис.5 років тому
Build a Modern JS Project - #1 Intro
MERN Stack & GraphQL - #10 Authentication (Part 2)
Переглядів 5 тис.5 років тому
MERN Stack & GraphQL - #10 Authentication (Part 2)
MERN Stack & GraphQL - #9 Authentication (Part 1)
Переглядів 10 тис.5 років тому
MERN Stack & GraphQL - #9 Authentication (Part 1)
Thanks
You lost me at "7*4 = 24 chars..." ?? (3:48) but thanks for trying.
well explained thanks
BEST VIDEO EVER PRODUCED! ON AUTH
What a great video, clears many questions I had!
It would have been better if you have shown an example to that instead of reading all the lines which is kind of boring.
Can somebody explain please why stateless JWT contains user data when stateful contains user id only? It sounds confusing
Let's always do alot of good 🔥
Finally, an explanation for web authentication for people who are not 5 years olds.
Exactly what ive been looking for. 🚀 thank you so much!
great explanation. thanks.
This video is my top pick for the year. Thanks for the awesome content - it really made a humongous difference for me!
Hello Alex, Thank you for this content. I want to see it on localhost while coding. how to bundle and serve it
thz, so useful
Awesome very cool
absolut fantastic! <3
awesome tutorial. Thank you so much
Hey I know this is an old video, but this video is what secured these concepts in my head. Every second of the video is high quality information with very little noise. Thanks!
I don't get the point from 26:50. Why would a server need a blacklist of revoked tokens? If the token has an exploration field and a signature, isn't it enough to prevent users from using expired tokens? Thanks!
Bro is robot
Thank you.
Thanks for the excellent video. Clarified few doubts I had. Keep it going.
That was a very helpful approach of explanation. I managed to debug and fix my environmental variables issue I had. Thank you sir.
concise!
Thank you!
Just to say : Session are Cookie. There is also alternative where you take a Cookie in order to wrap a JWT Token (to have the Pro of both world). To deal with the Cons of token and multi website authentication the use of an intermediate website in order to handle the connection is possible and the website will have his own mecanism for authenticate using Cookie. This website will redirect to your website with a Token at the end (I simplify the workflow since there is more exchange than that beetween your server and this auth server) but it's simply SSO, OAuth/Oidc mecanism. It's not that hard to implement your own Oauth mecanism using jwt. So basically you can do it, and if you have A, B, C website + one website to handle the auth using SSO then if you connect on A you will obtain a jwt for A that you wrap inside a cookie + the same for your auth website, next time when you will try to connect to a website you will already be connected to the website and receive the jwt token for the website B for example even it you are not connected to B yet, so you could wrap it inside a cookie.
We can mitigate with XSS attack by storing the JWT token in a cookie instead of local storage and now JS clients have no access to the token. furthermore, the cookie should only be sent on HTTPS only with the sameSite strict option to prevent CSRF attack.
I really saw a lot of videos, but the way you've summarized is just amazing! Keep up the excellent work! Definitely subscribing!
You are the best🤗
Thank you.
Alex you are a great developer. Congrats!
Finally. An explanation that actually MAKES SENSE.
Thank you for the thorough presentation. However, I would like to propose a correction. Rails stores the session in a cookie. NOT the session id, but the session object. It's Rails' default session storage (CookieStore). This storage is always on the client. In the video, you say every session is stored server-side (min 2:26), which is not true in the case of the session cookie Rails deals with.
I m watching you in 2023 Keep going 💪💪💪 dont stop🌹🌹
I like you way of teaching
Wow you explain very well! thanks
mongosh -- "$MONGO_INITDB_DATABASE" <<EOF db.createUser({ user: "$MONGO_USERNAME", pwd: "$MONGO_PASSWORD", roles:[{ role: 'readWrite',db:"$MONGO_INITDB_DATABASE" }] }) EOF
This is amazing. Very clearly explained ❤
After I have authenticated and the user is logged in, can I now send requests directly using axois? Or should I continue to do this with the help of TOKEN?
Thanks for these videos man! But eslint and prettier commands are not working any more :(
Excellent explanation. It covers everything you need to now about web auth. It saved me a lot of time and effort to learn it on my own. Very compact and clear. Thank you!!
One of the best video on the JWT and session token management. Great work!
What happended? It's been two years since the last vide uploaded.
Timestamps: Authentication: 0:16 Session Auth/Flow: 1:24 Session Auth/Features: 2:21 Cookies: 4:10 Cookies/Security: 5:50 Cookies/Attributes: 7:14 Cookies/Flags: 8:02 CSRF: 8:47 Tokens/Flow: 9:35 Tokens/Features: 10:53 JWT: 13:04 JWT/Security: 16:23
Very informative.
am just exhausted please tell me how to make my react app seo friendly
Great video!
Thank you so much sir for this detailed session on client side web security and cookies session things .
Thank you so much for this. one question what is this session ID used for? do I use that to reference a user in the database instead of a user ID. (For security)