Express-js Boilerplate with User Authentication

Written by balden | Published 2020/03/26
Tech Story Tags: nodejs | express | mysql | software-development | programming | authentication | user-authentication | expressjs | web-monetization

TLDR Express-js Boilerplate with user authentication system for Expressjs. It uses MySql for user data, and as a session store, too. The authentication system includes: User registration, login based on passport. Forgot – reset password functionality is valid for 1 hour. “Remember me” cookie value, and the “forgot password” key, are treated as passwords, because they are in fact equivalent to passwords. XSRf protection is taken from Brad Traversy’s presentation.via the TL;DR App
I couldn’t find a complete user authentication system for Expressjs, so I wrote this one.
For the impatient, the code resides at Github .
Mysql
It uses MySql for user data, and as a session store, too. I tried to make the code flexible. It’s easy to change MySql for something else.
There is no need to use the same database system for the session store. I did it for simplicity only.
Configuration
It uses .env file for the basic configuration of the application. That is, just editing the .env is enough to have the application up and running.
In addition there are a few configurable parameters in /config directory.
“Remember me” cookie duration.
Session store, session duration.
Email send configuration.
Authentication
The authentication system includes:
1. User registration, login based on passport.
2. Forgot – reset password functionality.
     By default reset password code is valid for 1 hour. Configurable.
3. “Remember me” cookie.
      By default valid for 360 days. Configurable.
4. Two user levels, regular and administrator. Not configurable.
Easy to extend in more levels with some coding.
5. Throttling protection for DOS attacks. Configurable.
      By default it allows two requests per two seconds.
6. Xsrf protection.
Interface
The interface is taken from Brad Traversy’s presentation . I only changed the parts I had to.
I believe it is easy to switch the interface with another one, according to the project requirements.
Registration
When a user is registered in the application he becomes an administrator, if there is no other user in the database.
There is no activation email. Users are active immediately after registration. I didn’t include an activation step, because not all projects need it. It is quite easy to add it, if there is such a requirement. 
Anyway, there is always the administrator to control which users are allowed, and which not.
Dashboard
There is a basic admin dashboard, where the admin can make, or cancel, other admins.
The admins can activate, deactivate other users. There is no user deletion, only deactivation.
Remember me
The remember me cookie does not contain the user ID but the UUID, which carries no useful info for an attacker. This is the only reason to include a UUID in the “users” database table.
The content of the cookie is the UUID and the “remember me” token. The “remember me” token hash is kept in the database. The token is verified
as a password.
The “remember me” cookie value, and the “forgot password” key, are treated as passwords, because they are in fact equivalent to passwords.
Dependencies
I tried to keep the number of dependencies low as possible, to not restrict the developer in the package selection for the main project.
Written by balden | Freelance developer
Published by HackerNoon on 2020/03/26
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy