Select the appropriate node. JS Authorization Authentication Policy

Select the appropriate node. JS Authorization Authentication Policy

CHSZS, reprint need to indicate. Blog home: Http://blog.csdn.net/chszs

English Original: https://stormpath.com/blog/choosing-nodejs-authentication-strategy/

node. JS is on the rise! I've been working with node since 2010, and that's when I watched it grow from a small personal project into a fully functional, primary tool that allows modern developers to build real, important, large applications. A complete solution ecosystem has sprung up to help node developers, as well as the rapid evolution of ecosystems themselves. But with its rapid evolution, it's getting harder to find the right solution for you, because there's too much noise from Google search or NPM (the third-party Library of node. JS is too big to choose the right one).
Authorized authentication and user management are especially difficult and changeable areas of the block. But when you create a real app with node, it's the first component you need. The purpose of this guide is to show you how to implement user management and authorization authentication with node.

What are the options available for the node ecosystem?

There are several different methods for node ecosystem to build user management at present. In general, there are:
1) passport.js Library or Everyauth library
passportjs:http://passportjs.org/
Everyauth:https://github.com/bnoguchi/everyauth
2) Use your own database and hashing algorithm
3) cloud service with "user management as a service"

Passport.js/everyauth

The

Passportjs and Everyauth are both node's authorized authentication middleware, both leveraging the Connect middleware framework. This means that if you use frames such as Express, restify, or sails, you can easily integrate any of these authentication middleware (or policies) directly into your application. Everyauth is only suitable for embedding policies, however Passportjs can choose which policy to use. The strategy that developers use Passportjs usually takes is Facebook and Google, but also includes username/password authentication from the local, to a large number of OpenID, OAuth third-party certifications, and even Passportjs's stormpath strategy.
Note: Stormpath is a user management API that reduces development time and provides a ready-to-use user management infrastructure. Stormpath Intuitive APIs and expert support make it easy to develop users and roles that empower authentication, management, and security.

Although both Everyauth and Passport are built on the same middleware framework connect, they each have their own pros and cons. The Passport is more flexible and modular, while Everyauth provides additional functionality to support Routing and login/register views. But many node developers choose Passport because it doesn't use promises.  
because both Passport and Everyauth are built on connect, both can help you achieve session management, including:  
1) Serialization of Authenticated Users
2) session management  
3) Log off user  

In addition, they are well suited for simple, easy-to-use user authentication, but are not designed for complex user management needs due to design limitations. You still need to design, implement, and maintain other parts of your user management infrastructure.
For example, if you are using the passport-local policy (this policy requires that the user name and password required for authorization authentication be stored in your own database), the passport itself does not process the user's registration and account certification. You need to use database modules to authenticate, create accounts, track authentication status, create authentication tokens, send mail, and verify accounts. This means that developers will need to consider the security of URLs, remove expired tokens, and other security constraints, such as the correct hashing of passwords in the database.

using its own database and hashing algorithm

The DIY approach does not depend on any middleware. Choose your own technology stack, use a database to store user information (possibly PostgreSQL or MongoDB), and use a hashing algorithm to generate a password hash (possibly Bcrypt or scrypt). Searching for bcrypt or scrypt in NPM can lead to changes in the quality of many modules, bcrypt or Scrypt modules have their own set of dependencies. It is important to note that if you use Windows development, we recommend the native JS implementation of Bcrypt, see Https://github.com/shaneGirish/bcrypt-nodejs.
After selecting the technology stack, you need to establish user management and authorization authentication. Historically, this approach is extremely common, but it is tedious, error-prone, and requires more maintenance than other methods.
You need to add/fix:
1) account creation
?Create user mode to maintain user data
?Create accounts and store passwords that use bcrypt/scrypt hash and add salt
?Send a message with an account authentication token
2) Account Authorization certification
?Verify user identity (compare hash values)
3) Account Management
?Password reset Workflow (Generate token/make token invalid)
?Role-based access/licensing
4) integration with ID and third-party social authentication service providers
5) system security
?Prevent unauthorized access to the database
?Prevent unauthorized access to the operating system
6) Data Backup

The biggest challenge for authorized authentication and user management is maintenance. In the case of password hashing, the correct approach is that you choose a hashing algorithm based on cost factors, which deliberately slows down the hashing algorithm (about 300~700 milliseconds) to prevent brute force attacks. But today it is true that it may not be safe tomorrow. If the application you are creating is coming online, you should change the hash policy once a year.
Although the node community opposes this approach, there are some benefits to this approach. You have complete control of your infrastructure. If your tools are not good enough to deliver to your customers and meet complex needs, then you should be able to invest your resources in identity authentication and user management. Fortunately, applications and developers rarely have this requirement, so open source tools and open API Services can help us deliver products faster and better.

User Management as a service

Over time, software has been released from on-premises to the cloud, to distributed API services. At the same time, development teams are beginning to rely on open source software and open API services, even as important as their own code. Therefore, the user management module is removed, using the rest API and open SDK to achieve new user management, complete the development of the application. Stormpath supports this approach. In particular, the node community, which has adopted this service-oriented approach, is far ahead of any community in any other language.
Typically, API-driven services provide more general functionality around user management, and are not just authorized authentication. Service providers also offer a variety of additional features, often including:
1) Email verification of the account
2) Password reset workflow
3) Role-based access/permissions
4) non-modal user profiles
5) Dual Factor identity authentication
6) Single sign-on between applications
7) Integration of social logins (Facebook, Google, etc.)
8) integration with node's certified middleware such as Passport

In addition to these purely functional features, it also provides fairly reliable security and operability. Provides developers with all the infrastructure to expand to absorb user traffic spikes and to handle user data security issues.
Using an API service can often provide more convenience and greater security, while also reducing the cost of development and maintenance. Developers can focus more attention on the unique parts of their applications.
However, sometimes users also need to weigh the use of API services. When you reference a third-party dependency service to your application, this third-party service needs to be highly available, high-speed, portable, capable of delivering high reliability during transmission, and flexible enough to meet your user data model.
Availability and performance are critical because, for a critical system, user authentication and management services are not offline or slow. Caching in the SDK and based on modern cloud computing infrastructure is a good start, but it's important that the service is about to face the worst scenario--for example, the entire data center is going downhill. So you want to make sure that you can get any notifications that you need to build at the top of the user management Service.
https://stormpath.com/resources/security-and-availability/
https://status.stormpath.com/

Data migration is also critical-you can safely migrate user data back and forth. With the ease of writing a script to move unencrypted data to JSON, the ease of porting passwords is heavily dependent on how any existing data is stored. For example Bcrypt is designed to be easily ported because it follows the module encryption format MCF (Modular Crypt format). For many systems and languages, it is possible to construct a hash by looking at the hash value itself. If you build a prototype and do not use services such as Stormpath, we recommend that you start with an MCF hash such as bcrypt-it will be easier to upgrade in the future.
The transport security between the application and the API service is also important. Additional network traffic needs to be secured. For example, Stormpath only supports HTTPS, using a custom Digest authentication algorithm to ensure that it will not be played back and attacked by the middle man. You can learn more about security here. https://stormpath.com/resources/security-and-availability/
The data model used by authorized authentication services is extensive. In the case of Salesforce, its data model differs greatly from the Stormpath data model. It is directory-based and therefore more versatile and more flexible. In-depth understanding of these data models is valuable, especially for multi-tenant applications or SaaS. In addition, the API documentation varies greatly-you should make sure you understand the outline carefully before you try to get things started.