Search code examples
javascriptnode.jsauthenticationcookiesremember-me

How to securely store logged in user on client?

I'm learning to make a login system by making a simple social media website, the website allows users to make posts, and their followers are then able to see the all of the posts from the users that they follow in a feed.

I've added user login, and when the user logs in I am able to take the users password and username(that they recently typed in) and get the feed for the user matching the entered credentials using an sql command similar to:

SELECT feed FROM users WHERE username = enteredUsername AND password = enteredPassword

then I render these posts on the logged in users feed. What I dont understand is:

A user might want to update their feed, to get the latest posts. But how can I securely make the client remember which user has logged in*, so that I can ask the server for similar data again?

I'm using node.js to host an express.js website with a sqlite database. I was unable to find anything on the internet as I don't really know what to search for, help would be appreciated.

Solution

  • Let me just start with that you should never store user passwords in plain text in your DB. You should use encryption (see: https://www.npmjs.com/package/bcrypt). I understand that you are just learning but it's good to learn best practices from the beginning.

    There is much to unwrap here so I'm just gonna make a short summary and point you into the right direction of research. We store tokens or session cookies on the client to keep track of a logged in user. As your app can use stateful or stateless authentication, there is a decision to be made regarding which is better for your use-case. Since you are just learning maybe start with stateful approach.

    Let's say you already have your username and encrypted password stored in the DB. The simplified login flow of an app based on stateful authentication:

    • User POST's his credentials to the /login route your on server.
    • You query your DB looking for this username/login
    • Then you compare the stored, encrypted password, with the password that was POST'ed also encrypting it using the same method that you used, when you saved the user to the DB (so you basically compare two 'hashes')
    • If the hashes are the same this means that the password provided in the login payload is the same that was provided on the user creation, so we can authenticete the user and start a session for him
    • You set a session cookie in the server response, which gets stored in the client cookies (you can see them in your browser DevTools)
    • Now, on every request that the client makes, the cookie will also be sent to the server automatically, so on routes that need the user to be authenticated, you first check if the session is valid
    • If a user does not have a session cookie stored, or the one that he sent has expired, you can respond with an appropriate message and/or redirect him to the login page

    Check out https://www.npmjs.com/package/express-session package, which may do much of the heavy lifting for you in node/express stack.

    More reading about sessions in node \w express-sessions: https://www.section.io/engineering-education/session-management-in-nodejs-using-expressjs-and-express-session/

    Also you may consider stateless auth with JWT tokens (see: https://www.passportjs.org/packages/passport-http-bearer/)