Day 45: PassportJS + Express + MongoDB?

Continued my web security studies. I went through the hour long video on combining it all together to implement authentication/authorization in an app. The video was from the PassportJS playlist. I will be honest it was a bit hard for me to follow. I probably need to go over it again and ask myself some questions to make sure I am following along.

From what I understand so far in the tutorial, we are using the express-session package to add a middleware function for constructing / managing user session data. We are also using the connect-mongo package to access our mongoDB database to store and pull session data from. Finally we are using the passport package to … Honestly, I am not too sure anymore LOL. The connect-mongo packages has some cryptography options so maybe there is some overlap or features that are not utilized. Either way I clearly have made some progress but I haven’t quite put all the pieces together LOL.

TLDR;

Okay, so here are the highlights of what I did:

  • Backend -> Continued studying the concepts mentioned in the web security section. Add to my notes on the connect-mongo package. The last two topics I need to really lockdown are how the passport package works as a “framework” for all the different strategies listed and what are some of the tenants or principles related to cryptography. I want to know what I would need to do if to uphold industry standards when implementing secure data storage using encryption.

Rough Notes – connect-mongo Package

The connect-mongo package is a MongoDB session store for the connect and express packages that is written in Typescript. It was built under the MIT License.

It is used to connect to a specified mongoDB database that we construct to store our user sessions data. Similar to the Mongoose package, this package makes it easier for developers to work with mongoDB for the specific use case of storing and retrieving session data.

  • Bugs / Issues
  • Usage
    • Express or Connect integration
    • Connection to MongoDB
  • Syntax / API
  • Events
  • Session expiration
  • Remove expired sessions
    • Set MongoDB to clean expired sessions (default mode)
    • Set the compatibility mode
    • Disable expired sessions cleaning
  • Lazy session update
  • Transparent encryption/decryption of session data
  • Options
    • Connection-related options (required)
    • More options
    • Crypto-related options
  • Development
    • Example application
    • Release

Syntax / API

const session = require("express-session");
const MongoStore = require("connect-mongo");

// Basic usage
app.use(
  session({
    store: MongoStore.create({ mongoUrl: "mongodb://localhost/test-app" }),
  })
);

// Advanced usage
app.use(
  session({
    store: MongoStore.create({
      mongoUrl:
        "mongodb://user12345:foobar@localhost/test-app?authSource=admin&w=1",
      mongoOptions: advancedOptions, // See below for details
    }),
  })
);

MongoStore.create(options)

These are Connection-related options (REQUIRED) that must be provided for the Mongostore.create() methods. One of the following options should be provided. If more than one option is provided, each option will take precedence over others according to priority.

  • mongoUrl
  • clientPromise
  • client
const MongoStore = require('connect-mongo');

const options = {
  mongoUrl: '',               // Priority 1
  clientPromise: '',          // Priority 2
  client: '',                 // Priority 3
  dbName: 'DB-NAME',
  mongoOptions: {useUnifiedTopology: true},
  collectionName: 'sessions',
  ttl: 1209600,                    // Time To Live
  autoRemove: 'native',
  autoRemoveInterval: 10,
  touchAfter: 0,
  stringify: true,
  serialize: /* Not sure what this is exactly */,
  unserialize: /* Not sure what this is exactly */,
  writeOperationOptions: /* Not sure what this is exactly */,
  transformId: /* Not sure what this is exactly */,
  crypto: {
    secret: false,
    algorithm: 'aes-256-gcm',
    hashing: 'sha512',
    encodeas: 'hex',
    key_size: 32,
    iv_size: 16,
    at_size: 16,
  }
}

MongoStore.create(options)

options.mongoUrl

A connection string for creating a new MongoClient connection. If the database name is not present in the connection string, it should be provided using the options.dbName property.

Note: There is a specified format for connection strings used to connect to a mongoDB database

options.clientPromise

A Promise that is resolved with the MongoClient connection. If the connection was establisheed without the database name being present in the connection string, it should be provided using the options.dbName property.

options.client

An existing MongoClient connection. If the connection was establisheed without the database name being present in the connection string, it should be provided using the options.dbName property.

options.dbName

A name of database used for storing sessions. Can be used with the options.mongoUrl, or options.clientPromise properties. The options.dbName value takes precedence over the database name present in the connection string.

options.mongoOptions

Options object for MongoClient.connect() method. Can be used with mongoUrl option. Default value is { useUnifiedTopology: true }

options.collectionName

A name of collection used for storing sessions. Default collection name value used is 'sessions'

options.ttl

The maximum lifetime (in seconds) of the session which will be used to set session.cookie.expires if it is not yet set. The default value is 14 days which is represented by 1209600 seconds.

options.autoRemove

Behavior for removing expired sessions. Possible values:

  • 'native'
  • 'interval'
  • 'disabled'

The default value is 'native'.

options.autoRemoveInterval

Interval (in minutes) used when autoRemove option is set to 'interval'. The default value is 10.


Goal For Round 8 of the #100DaysofCode Challenge

This is my eighth round of the “#100daysofcode” challenge. I will be continuing my work from round five, six, and seven into round eight. I was working through the book “Cracking the Coding Interview” by Gayle Laakmann McDowell. My goal was to become more familiar with algorithms and data structures. This goal was derived from my goal to better understand operating systems and key programs that I use in the terminal regularly e.g. Git. This goal was in turn derived from my desire to better understand the fundamental tools used for coding outside of popular GUIs. This in turn was derived from my desire to be a better back-end developer.

I am currently putting a pause on the algorithm work to build some backend/full stack projects. I primarily want to improve my skills with the back-end from an implementation perspective. I have improved tremendously in terminal and CLI skills but I lost focus due to how abstract the algorithm concepts got. I wanted to work on things that were more tangible until I can get to a position where I could directly benefit from improving my algorithm skills and theoretical knowledge. So that’s the focus right now. Build my backend skills and prove my full stack capabilities by building some dope projects.

Again, I still have no idea if my path is correct but I am walking down this road anyways. Worst case scenario I learn a whole bunch of stuff that will help me out on my own personal projects. Best case scenario I actually become one of those unicorn developers that go on to start a billion dollar company… You never know LOL.