authentication

[cch5ng]

3 cases to support:

• email and custom password

  • registration

  • login

  • when try to make BE requests, check for valid session (everything but get all questions)

• (low priority) OAuth - google

• (low priority)OAuth - fb

(do I need Auth0 if using passport library?)

[cch5ng]

resource

• http://www.passportjs.org/packages/passport-jwt/

• https://scotch.io/@devGson/api-authentication-with-json-web-tokensjwt-and-passport

  • https://github.com/auth0/node-jsonwebtoken

  • https://github.com/themikenicholson/passport-jwt

  • https://github.com/passport/express-4.x-local-example

  • http://www.passportjs.org/docs/configure/

• (old) https://jonathanmh.com/express-passport-json-web-token-jwt-authentication-beginners/

• http://www.passportjs.org/

• https://jwt.io/introduction/

• https://github.com/auth0/node-jsonwebtoken

• http://www.passportjs.org/packages/passport-http-bearer/

---

• passport currently very cb oriented; request to support promise but not much movement (maintainer works elsewhere); don't think this is dealbreaker but just not ideal

https://github.com/jaredhanson/passport/issues/ 536

[cch5ng]

a little confused about next step b/c passport has so many strategies available; I know I should use jwt but not sure if there is a simple way to use jwt with passport (which one is simple but effective)

status: configuring passport

FEUserTable > findByUserName() and how to use it

[cch5ng]

notes:

• for login auth, passport expects the json to be {username: '', password: ''}; keyed exactly or Bad Request error on post

• if passport-jwt not set up, then passport will give error because default expectation is for server based session (auth)

https://github.com/themikenicholson/passport-jwt/issues/ 117

https://stackoverflow.com/questions/45897044/passport-jwt-401-unauthorized

[cch5ng]

overview: concept of middleware (like passport)

• https://expressjs.com/en/guide/writing-middleware.html

• [x] registration

  • verify that user name does not exist yet

  • test BE register endpoint with unique email and dupe email

  • (X-done) BE registration endpoint and handle

  • (TODO) FE (issue on registration success, redirect to login)

• [x] login

  • success => create/return jwt (client local storage) and FE redirect (X-done on BE side only)

  • X-(DONE) FE

• [x] most BE requests

  • check for valid jwt (generally think jwt should be required on all post requests; maybe the only thing with no session requirement is getting all questions

  • X-(DONE) all endpoints under test (4) ... requires update BE endpoint (to use passport) and FE redux action (to pass token in the header) (done - 4)

  • X-(DONE) one endpoint under question (random)

    • since all questions is generic to all users, probably this should be the default FE view

  • 0-(TODO) think about how to restrict access to FE view /tests/new; probably don't really want to even show this without login?

  • X-(DONE) make a list of all the BE endpoints which require jwt auth

  • X-(DONE) follow up on get all tests (BE partly done using jwt strategy; test to check this is working after FE supports the behavior

  • X-(DONE) follow up on get all tests (FE code to get jwt from localstorage and include in the header of the post request)

• [ ] follow up now there needs to be additional logic that ties custom tests to a user; when a new test is created, it needs to be associated with the current session user (need to be able to access the user id)

• [ ] maybe write up a really short list of items I had to troubleshoot to get jwt strategy working

[cch5ng]

test cases

• define some better cases for findById() in fe_user table; not sure all the cases handling BE responses are broad enough

---

placeholder logic

                    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
                        if (err) {console.error('error', err)}

                        if (decoded) {console.log('jwt is valid')}
                    })

[cch5ng]

closing as merged