I've spent a long time now trying to find a simple way to password-protect a site built with Express (4) but I've been unable to find a tutorial or module which would help. What there seems to be out there are either complicated, full-blown user registration/login procedures using passport, or too simple and insecure HTTP basic authentication (like this one) without any kind of session support (and lots of variations on the above themes).
All I'm looking for is something which would redirect the index page to a login page, unless logged in, with some kind of log out option with session support. I don't need a database and I'd be happy to hard code user-password combos, as long as they are relatively secure.
Are there any kind of resources out there that would help with this?
Any help or pointers would be greatly appreciated.
You could still use passport together with passport-local and write your own authentication handler as shown in the passport-local docs. A authentication handler implementation could look like this
var LocalStrategy = require('passport-local').Strategy;
var users = {
'mike' : 'secret'
};
passport.use(new LocalStrategy(
function(username, password, done) {
if (!users[username] || users[username] != password) {
return done(null, false);
}
return done(null, { username : username });
}
));
This approach stores passwords in plain text in your source code, which is not good nor recommendable.
To extend the above implementation to support hashed (and salted) passwords you could take a look at passport-local-mongoose authenticate function implementation.
The big pro of using the passport.js approach is that you can migrate to another authentication mechanism in future and that passport.js handles all the nasty stuff like checking if a user is not authenticated.