Continued my web security studies. Reading through the codebase for the PassportJS package. Still trying to breakdown the PassportJS software design. I am making steady progress but there have been more than few hiccups. I am however starting to get familiar with the syntax and code patterns being employed in the package. I don’t necessarily agree with all of the patterns but I understand what they are doing which is a step in the right direction.
I have been following all the operations that take place when the PassportJS package is imported into another JavaScript module. That journey starts with the construction of the Authenticator class instance and everything that comes with it. I have been following that construction process through the code by then looking at all the branch operations taking place as a result of that construction.
I am almost done with this process but I got side-tracked by the core authenticate middleware. You see it is a bit confusing because a lot of the classes used in this library contain an authenticate method but how they all work together is a still a bit confusing to me. I have some more work to do but this has honestly been a great experience so far.
TLDR;
Okay, so here are the highlights of what I did:
- Backend -> Continued studying the concepts mentioned in the web security section. I continued reading through the package’s code base to fill in some of the gaps that are not fully covered in the documentation. The goal is to finish compiling all the information in this docs page as well as all the other examples and sources to construct my own notes that ensure this framework is clear and easy for me to use in the future. Continued working through the codebase while writing notes on the design of the package.
Passport Package Breakdown Notes – Update
Understanding What Is Happening
The strategy for breaking down packages or projects like this is to look at the modules that have no external dependencies first. That way we can work up from there with knowledge on how the required dependencies are being used in the more complex modules. The modules that have no dependencies are:
- http/request.js -> Exports a nameless object with methods
login,logout,isAuthenticated, andisUnAuthenticated. - errors/authenticationerror.js -> Exports the AuthenticationError class/Constructor Function
When import passport package:
1. We get a new instance of the Passport i.e. Authenticator class
- What comes with that instance:
Instance Properties: {
_key: 'passport'
_strategies: {}
_deserializers: []
_infoTransformers: []
_framework: null
}
Class Methods: {
init: () => null
use: (name, strategy)=> Passport Instance that called it i.e. `this`
unuse: (name) => Passport Instance that called it i.e. `this`
framework: (framework) => Passport Instance that called it i.e. `this`
initialize: (options) => this._framework.initialize(this, options)
authenticate: (strategy, options, callback) => this._framework.authenticate(this, strategy, options, callback)
authorize: (strategy, options, callback) => {fn = this._framework.authorize || this._framework.authenticate;
return fn(this, st, op, cb) }
session: (options) => this.authenticate('session', options)
serializeUser: (fn, req, done) => this._serializers.push(fn) || done(error) || null
deserializeUser: (fn, req, done) => this._deserializers.push(fn) || done(error) || null
transformAuthInfo: (fn, req, done) => this._infoTransformers.push(fn) || done(error) || done(error, tinfo) || done(null, info)
_strategy: (name) => this._strategies[name]
}
- When it get's constructed it automatically calls it's init method, which:
1. Calls the Passport `Instance.framework()` inherited method which sets the Passport Instance._framework property to
an object with an `initialize` and `authenticate` property derived from the
middleware/{initialize,authenticate}.js modules respectively.
2. Calls the Passport `Instance.use()` inherited method to add a new strategy to the `Instance._strategies` object. A
new instance of the `SessionStrategy` class is constructed with an options object and the `Instance.deserializeUser`
method passed in as the parameters. The `deserializeUser` method's `this` is bound to the Passport Instance before
being provided as a function for the new Instance of the `SessionStrategy` class constructor.
A. The `SessionStrategy` class Instance is constructed to have:
Instance Properties (SessionStrategy): {
name: 'session'
_key: options.key || 'passport'
_deserializeUser: (fn, req, done) => this._deserializers.push(fn) || done(error) || null
error: () => *FILL IN* // Set on all Passport Instance Strategies when
// the `middleware/authenticate.js` module function is run.
pass: () => *FILL IN* // Set on all Passport Instance Strategies when
// the `middleware/authenticate.js` module function is run.
success: () => *FILL IN* // Set on all Passport Instance Strategies when
// the `middleware/authenticate.js` module function is run.
}
Class Methods: {
authenticate: (req, options) => new Error || self.error(err) //?? Not sure when it got an error method?
}
- It is also constructed to be a child class of the `Strategy` class from the `passport-strategy` node
modules package. The `Strategy` class does not do anything besides having a class method called
`authenticate` that will throw an error if not overridden by a child class method with the same name.
the `authenticate` method is a bit weird it references things that have not been declared yet to my knowledge.
3. Adds and sets the Passport `Instance._sm` property to a new instance of the `SessionManager` class.
Goal For Round 8 of the #100DaysofCode Challenge
This is my eighth round of the “#100daysofcode” challenge. I will be continuing my work from round five, six, and seven into round eight. I was working through the book “Cracking the Coding Interview” by Gayle Laakmann McDowell. My goal was to become more familiar with algorithms and data structures. This goal was derived from my goal to better understand operating systems and key programs that I use in the terminal regularly e.g. Git. This goal was in turn derived from my desire to better understand the fundamental tools used for coding outside of popular GUIs. This in turn was derived from my desire to be a better back-end developer.
I am currently putting a pause on the algorithm work to build some backend/full stack projects. I primarily want to improve my skills with the back-end from an implementation perspective. I have improved tremendously in terminal and CLI skills but I lost focus due to how abstract the algorithm concepts got. I wanted to work on things that were more tangible until I can get to a position where I could directly benefit from improving my algorithm skills and theoretical knowledge. So that’s the focus right now. Build my backend skills and prove my full stack capabilities by building some dope projects.
Again, I still have no idea if my path is correct but I am walking down this road anyways. Worst case scenario I learn a whole bunch of stuff that will help me out on my own personal projects. Best case scenario I actually become one of those unicorn developers that go on to start a billion dollar company… You never know LOL.