This project aims to explore the concept of authentication (and authorization) in web applications using the MERN stack. Various authentication techniques will be explored, with the aim of creating a possibly solid starting point for future projects. In all solutions care will be taken to prevent the main security problems concerning authentication, ie XSS and CSRF attacks. Here are the techniques that will be covered:
- Standard authentication (username and password) using sessions or jwt tokens.
- Passwordless authentication (email only, with email magic link or code) using jwt tokens.
- Double authentication (email and password, with email magic link or code) using jwt tokens.
- Social authentication (double authentication or Google authentication) using jwt tokens.
At this link there is a demo of "Double authentication". The two-factor authentication is available for up to 50 users per day.
Before starting the project, you need to complete the configuration file associated with the authentication technique you are interested in and rename it (deleting the .example substring). The server config file is located in config/const.example.js. The client config file is located in src/const.example.js (to be changed only for Social autentication).
Server config:
// Session secret
export const sessionSecret = '';Server config:
// Jwt secrets
export const secret = '';
export const csrfSecret = '';Server config:
// Admin info
export const email = '';
// Jwt secrets
export const secret = '';
export const csrfSecret = '';
// Email account
export const emailName = 'AuthTrainer';
export const emailUsername = '';
export const emailPassword = '';
export const emailHost = '';
export const emailPort = 465;
export const emailSecure = true;Server config:
// Admin info
export const email = '';
export const password = '';
// Jwt secrets
export const secret = '';
export const csrfSecret = '';
// Email account
export const emailName = 'AuthTrainer';
export const emailUsername = '';
export const emailPassword = '';
export const emailHost = '';
export const emailPort = 465;
export const emailSecure = true;Server config:
// Admin info
export const email = '';
export const password = '';
// Jwt secrets
export const secret = '';
export const csrfSecret = '';
// Email account
export const emailName = 'AuthTrainer';
export const emailUsername = '';
export const emailPassword = '';
export const emailHost = '';
export const emailPort = 465;
export const emailSecure = true;
// Google
export const GOOGLE_OAUTH_CLIENT_ID = '';
export const GOOGLE_OAUTH_CLIENT_SECRET = '';Client config:
// Google
export const REACT_APP_GOOGLE_OAUTH_CLIENT_ID = '';
export const REACT_APP_GOOGLE_OAUTH_CLIENT_SECRET = '';Google configuration: Setting up Google OAuth 2.0.
Install server and client dependencies:
npm iRun the server and the client:
npm run devTo stop the server run:
npm run endTo go live you need a service like Nginx to serve the client and server content (enable HTTPS... Certbot). Copy the repository to your server and edit the configuration files (client/.../src/const.js and server/.../config/const.js) following the comments.
Build the client:
npm run buildRun the server:
npm run prodserver {
if ($host = www.website.com) {
return 301 https://website.com$request_uri;
}
index index.html index.htm index.nginx-debian.html;
server_name website.com www.website.com;
root /var/www/website.com/client/socialAuth/dist;
# react app
location / {
try_files $uri /index.html;
}
# node server
location /api/ {
proxy_pass http://localhost:8080/;
}
location /socket.io/ {
proxy_pass http://localhost:8080;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}