Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
549 views
in Technique[技术] by (71.8m points)

express - Basics of Passport Session (expressjs)-why do we need to serialize and deserialize?

What is the use of serialize and deserialize methods in passport-authentication.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I had a hard time wrapping my head around it.But this is what i got, hope it saves your time.

There are two ways you could interact with the server to provide access to restricted information which requires authentication. 1.cookies and 2.sessions

Long story short- cookies are unsafe as it remains on the client side and can be accessed and manipulated.

But when it comes to sessions the session id (to be explained) gets saved in the server, thus making it a safe bet.

This is how the process goes with the passport middleware:

  1. Login info passed (username & password)
  2. Passport Authenticate(local strategy) gets executed to check if username and password is valid.
  3. DONE callback with Null (no error) and USER(from database) will be returned ? if username and password is VALID.

4.SERIALIZE When Authentication is valid SERIALIZE METHOD IS EXECUTED (to begin a session) (which uses whatever parameter is passed in the definition of the method ) usually User.id is saved and is verified each time a request is sent.

passport.serializeUser(function(user, done) { done(null, user._id); })

In the above method, user object is passed and user._id is saved as a key in the server. This means that this key(user.id) would be used to maintain the session.

This is done by saving the user._id in the req.passport.session.user ={_id : …}….(explained after Deserialize)

5.DESERIALIZE Serialize method is executed only once after authentication, and later on, for subsequent requests the DESERIALIZE METHOD gets executed which maintains the session in which the User.id is passed to maintain the session as illustrated below. ( till the browser is open*) .

passport.deserializeUser(function(id, done){…})

user object is returned in the callback and is attached to the request as req.user.

AUTHENTICATION / NO AUTHENTICATION:

Do you remember the passport.initialize middleware and the passport.session middleware in App.js

The passport.initialize middleware is executed on every request. After which the passport.session middleware would look for a serialized user on the server.

If no user authentication has been done an empty object is created (req.session.passport.user) where the serialized user would be loaded.

req.session.passport.user = {}.

But when authentication has been done and Passport.Authenticate has returned a VALID USER in the done callback (username and password match case), then

req.session.passport.user = user._id

User._id is passed to req.session.passport.user

This Id will be present attached to the session (req.sesssion.passport.user) when passport.initialize is executed the next time in subsequent requests.

After initialize method finds the id in the session it performs the deserialize method & the User information is loaded to the request through req.user .

Please do suggest edits or additions to this answer.-PVTHOMAS


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...