https://blog.iankulin.com/tags/bcrypt/Recent content in Bcrypt on blog.iankulin.comHugoen-AUMon, 19 Aug 2024 00:00:00 +0000https://blog.iankulin.com/authentication-basics-for-node-apps/Mon, 19 Aug 2024 00:00:00 +0000https://blog.iankulin.com/authentication-basics-for-node-apps/<p><a href="https://unsplash.com/photos/calahorra-tower-torre-de-la-calahorra-in-cordoba-spain-a-fortified-gate-built-during-the-late-12th-century-by-the-almohads-to-protect-the-nearby-roman-bridge-in-the-historic-center-of-cordoba-andalusia-spain-ECsukeqrDoo"><img src="https://blog.iankulin.com/images/screen-shot-2024-08-10-at-8.59.01-pm.jpg" alt=""></a></p> <p>Pretty much every serious web app needs to include a way for users to log in securely and to be served their content. Since there&rsquo;s a lot of complexity in this, it&rsquo;s highly advisable to use good libraries to support this. In a future post we&rsquo;re going to use those libraries, but first I want to explain what&rsquo;s happening at the lower level and tease out some of the concepts as we build a secure system from the ground up.</p> <h3 id="http">HTTP</h3> <p>Before we dive into our authentication story, it&rsquo;s worth thinking about how HTTP works and putting some names to things. We often don&rsquo;t think too much about this level because the mechanics are most abstracted away for us by libraries such as express.js.</p> <p>A HTTP <em>request</em> is just a bunch of lines of text arriving at TCP port 80. It&rsquo;s an agreed on <a href="https://www.rfc-editor.org/rfc/rfc9110.html#name-example-message-exchange">Internet standard</a> originally written by <a href="https://en.wikipedia.org/wiki/Tim_Berners-Lee">Tim Berners-Lee</a>. The request will include the type of request it is (GET, POST etc), the resource being requested (usually a web-page) - these make up the <em>request line</em>. Then there will be some lines of data called the <em>header</em> that might include things like the type of browser making the request, and optionally a <em>body</em> of the request. The body might contain form data being submitted or a JSON description of an object. If there is a body, there will be a blank line separating it from the header.</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>GET /hello.txt HTTP/1.1 </span></span><span style="display:flex;"><span>User-Agent: curl/7.64.1 </span></span><span style="display:flex;"><span>Host: www.example.com </span></span><span style="display:flex;"><span>Accept-Language: en, mi </span></span></code></pre></div><p>Similarly, the HTTP <em>response</em> is just some lines of text. A <em>status line</em> (which includes the famous <em>status code</em> such as 404), some <em>headers</em> and the <em>body</em>.</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>HTTP/1.1 200 OK </span></span><span style="display:flex;"><span>Date: Mon, 27 Jul 2009 12:28:53 GMT </span></span><span style="display:flex;"><span>Server: Apache </span></span><span style="display:flex;"><span>Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT </span></span><span style="display:flex;"><span>ETag: &#34;34aa387-d-1568eb00&#34; </span></span><span style="display:flex;"><span>Accept-Ranges: bytes </span></span><span style="display:flex;"><span>Content-Length: 51 </span></span><span style="display:flex;"><span>Vary: Accept-Encoding </span></span><span style="display:flex;"><span>Content-Type: text/plain </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>Hello World! My content includes a trailing CRLF. </span></span></code></pre></div><h3 id="sessions">Sessions</h3> <p>A web app might be serving thousands of users, so we need some way for the server to know which user it is talking to. If our app is a todo list, we don&rsquo;t want to be showing Jane&rsquo;s todo items to Fred - each user only wants to see their own items. A common way of doing this is that the browser making requests to the server could send a bit of text along with each request. These little bits of text are called &lsquo;cookies&rsquo;.</p> <p>In a very simple example, the cookie could contain the name of our user - for example &lsquo;Fred&rsquo; or &lsquo;Jane&rsquo;. Then when the server received each request, it could read the cookie to know which user was making the request. Here&rsquo;s our code:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> express <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#39;express&#39;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> app <span style="color:#81a1c1">=</span> express<span style="color:#eceff4">();</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to handle requests </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#39;/&#39;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>req<span style="color:#81a1c1">.</span>headers<span style="color:#81a1c1">.</span>cookie <span style="color:#81a1c1">&amp;&amp;</span> req<span style="color:#81a1c1">.</span>headers<span style="color:#81a1c1">.</span>cookie<span style="color:#81a1c1">.</span>includes<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#39;name=Fred&#39;</span><span style="color:#eceff4">))</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#39;Hello Fred!&#39;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>req<span style="color:#81a1c1">.</span>headers<span style="color:#81a1c1">.</span>cookie <span style="color:#81a1c1">&amp;&amp;</span> req<span style="color:#81a1c1">.</span>headers<span style="color:#81a1c1">.</span>cookie<span style="color:#81a1c1">.</span>includes<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#39;name=Jane&#39;</span><span style="color:#eceff4">))</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#39;Hello Jane!&#39;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#39;Hello stranger!&#39;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Start the server </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> PORT <span style="color:#81a1c1">=</span> <span style="color:#b48ead">3000</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>listen<span style="color:#eceff4">(</span>PORT<span style="color:#eceff4">,</span> <span style="color:#eceff4">()</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> console<span style="color:#81a1c1">.</span>log<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Server is running on port <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>PORT<span style="color:#eceff4">}</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><p>The cookie is just a line of text included in the header of the request. Perhaps the request looks like this:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>GET / HTTP/1.1 </span></span><span style="display:flex;"><span>Accept: application/json, text/plain, */* </span></span><span style="display:flex;"><span>Cookie: name=Fred </span></span><span style="display:flex;"><span>User-Agent: axios/1.5.1 </span></span><span style="display:flex;"><span>Accept-Encoding: gzip, compress, deflate, br </span></span><span style="display:flex;"><span>Host: 127.0.0.1:3000 </span></span></code></pre></div><p>At the user&rsquo;s end the cookie is probably stored in an sqlite database - this implementation detail is left up to the browser. When the users browser sends the request, it checks to see if it&rsquo;s got a cookie for this host and encodes it into the header of the request.</p> <h4 id="testing-this-code">Testing this code</h4> <p>There&rsquo;s no simple way to test the server code above since regular browsers don&rsquo;t allow us to set the cookie values. There are however a number of tools that can send customised requests. Some examples of these API testing tools are <a href="https://www.postman.com/">Postman</a> and Insomnia. Since the <a href="https://news.ycombinator.com/item?id=37680126">Insomnia rug-pull</a>, I&rsquo;ve been a big fan of <a href="https://www.usebruno.com/">Bruno</a>.</p> <p>All of these tools allow you to specify the URL, the type of request, and any header or body to go with it. They can make the call to the server and show the results.</p> <img src="https://blog.iankulin.com/images/brunoexample.png" width="1000" alt=""> <h3 id="setting-a-cookie">Setting a Cookie</h3> <p>Our server as it stands at the moment is not very secure. Any hacker can just change the value of the cookie to see the content intended for Fred or Jane. We&rsquo;ll get to authentication eventually, and when we do, we&rsquo;ll need to be able to <em>set</em> a cookie in the client. How does that work?</p> <p>Again, we&rsquo;ll npm install a little library to assist us. <a href="https://github.com/expressjs/cookie-parser#readme">cookie-parser</a> is some middleware that lets us easily work with cookies. For the demonstration we&rsquo;ll just add some routes to set the name to &lsquo;Jane&rsquo; or to clear it. Setting it to &lsquo;Jane&rsquo; will look like this:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>// Route to set a cookie for &#39;Jane&#39; </span></span><span style="display:flex;"><span>app.get(&#34;/setuserjane&#34;, (req, res) =&gt; { </span></span><span style="display:flex;"><span> res.cookie(&#34;name&#34;, &#34;Jane&#34;); // Set a cookie named &#39;name&#39; with value &#39;Jane&#39; </span></span><span style="display:flex;"><span> res.send(&#34;Cookie set for Jane&#34;); </span></span><span style="display:flex;"><span>}); </span></span></code></pre></div><p>And clearing it, like this:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>// Route to clear the &#39;name&#39; cookie </span></span><span style="display:flex;"><span>app.get(&#34;/clearuser&#34;, (req, res) =&gt; { </span></span><span style="display:flex;"><span> res.clearCookie(&#34;name&#34;); </span></span><span style="display:flex;"><span> res.send(&#34;Cookie cleared&#34;); </span></span><span style="display:flex;"><span>}); </span></span></code></pre></div><p>And since we&rsquo;re using cookie-parser, we may as well use it for reading the cookie to tidy things up a bit as well</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> express <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> cookieParser <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;cookie-parser&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> app <span style="color:#81a1c1">=</span> express<span style="color:#eceff4">();</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> cookie middleware </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>cookieParser<span style="color:#eceff4">());</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>req<span style="color:#81a1c1">.</span>cookies<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">===</span> <span style="color:#a3be8c">&#34;Fred&#34;</span><span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Hello Fred!&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>req<span style="color:#81a1c1">.</span>cookies<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">===</span> <span style="color:#a3be8c">&#34;Jane&#34;</span><span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Hello Jane!&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Hello stranger!&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to set a cookie <span style="color:#81a1c1;font-weight:bold">for</span> <span style="color:#a3be8c">&#39;Jane&#39;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/setuserjane&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>cookie<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;name&#34;</span><span style="color:#eceff4">,</span> <span style="color:#a3be8c">&#34;Jane&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Cookie set for Jane&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to clear the <span style="color:#a3be8c">&#39;name&#39;</span> cookie </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/clearuser&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>clearCookie<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;name&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Cookie cleared&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Start the server </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> PORT <span style="color:#81a1c1">=</span> <span style="color:#b48ead">3000</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>listen<span style="color:#eceff4">(</span>PORT<span style="color:#eceff4">,</span> <span style="color:#eceff4">()</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> console<span style="color:#81a1c1">.</span>log<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Server is running on port <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>PORT<span style="color:#eceff4">}</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><p>With this code, we can just use a regular browser for testing. Visiting <code>127.0.0.1:3000/clearuser</code> will delete the <code>name</code> cookie, which we could test by visiting <code>127.0.0.1:3000</code> and getting the &ldquo;Hello stranger!&rdquo; message. If we then go to <code>127.0.0.1:3000/setuserjane</code> and back to <code>127.0.0.1:3000</code> we&rsquo;ll see &ldquo;Hello Jane!&rdquo;.</p> <h3 id="session-id">Session ID</h3> <p>Clearly this setup is still insecure since a hacker can easily just include a name cookie to pretend to be any particular user. A better system would be to store a unique ID in the cookie, then match that internally to a particular user. This means we&rsquo;d have to maintain the links between each GUID and user on the server, but it would massively reduce the chance of a hacker being able to pretend to be a particular user since the chance of correctly guessing a GUID would be very low.</p> <p>Let&rsquo;s think about what we&rsquo;d need to do to make this work for /setuserjane.</p> <ul> <li>generate a unique ID</li> <li>save that ID along with &lsquo;Jane&rsquo; in the local store</li> <li>save the UID to the cookie to go back to the browser</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/setuserjane&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> sessionId <span style="color:#81a1c1">=</span> uuidv4<span style="color:#eceff4">();</span> <span style="color:#81a1c1">//</span> Generate a new GUID </span></span><span style="display:flex;"><span> sessions<span style="color:#81a1c1">.</span>push<span style="color:#eceff4">({</span> sessionId<span style="color:#eceff4">,</span> name<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Jane&#34;</span> <span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>cookie<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;sessionId&#34;</span><span style="color:#eceff4">,</span> sessionId<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Session set for Jane&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><p>Then when we needed to check who the user was at a route, we&rsquo;d need to:</p> <ul> <li>extract the session ID from the cookie if there is one</li> <li>look it up in the server&rsquo;s session store</li> <li>use that to identify the name</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> sessionId <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>cookies<span style="color:#81a1c1">.</span>sessionId<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> session <span style="color:#81a1c1">=</span> sessions<span style="color:#81a1c1">.</span>find<span style="color:#eceff4">(</span>s <span style="color:#81a1c1">=&gt;</span> s<span style="color:#81a1c1">.</span>sessionId <span style="color:#81a1c1">===</span> sessionId<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>session<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Hello <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">}</span><span style="color:#81a1c1">!</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Hello stranger!&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><p>Here&rsquo;s the whole thing. The store of session id:name keypairs is just an array of objects (so it will be wiped on every server restart), and we&rsquo;re using the uuid library to generate globally unique ids.</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> express <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> cookieParser <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;cookie-parser&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> <span style="color:#eceff4">{</span> v4<span style="color:#eceff4">:</span> uuidv4 <span style="color:#eceff4">}</span> <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;uuid&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> app <span style="color:#81a1c1">=</span> express<span style="color:#eceff4">();</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> cookie middleware </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>cookieParser<span style="color:#eceff4">());</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> <span style="color:#bf616a">Array</span> to store session objects </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> sessions <span style="color:#81a1c1">=</span> <span style="color:#eceff4">[];</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> sessionId <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>cookies<span style="color:#81a1c1">.</span>sessionId<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> session <span style="color:#81a1c1">=</span> sessions<span style="color:#81a1c1">.</span>find<span style="color:#eceff4">(</span>s <span style="color:#81a1c1">=&gt;</span> s<span style="color:#81a1c1">.</span>sessionId <span style="color:#81a1c1">===</span> sessionId<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>session<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Hello <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">}</span><span style="color:#81a1c1">!</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Hello stranger!&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to set a session <span style="color:#81a1c1;font-weight:bold">for</span> <span style="color:#a3be8c">&#39;Jane&#39;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/setuserjane&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> sessionId <span style="color:#81a1c1">=</span> uuidv4<span style="color:#eceff4">();</span> <span style="color:#81a1c1">//</span> Generate a new GUID </span></span><span style="display:flex;"><span> sessions<span style="color:#81a1c1">.</span>push<span style="color:#eceff4">({</span> sessionId<span style="color:#eceff4">,</span> name<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Jane&#34;</span> <span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>cookie<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;sessionId&#34;</span><span style="color:#eceff4">,</span> sessionId<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Session set for Jane&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to clear the session </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/clearuser&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> sessionId <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>cookies<span style="color:#81a1c1">.</span>sessionId<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> index <span style="color:#81a1c1">=</span> sessions<span style="color:#81a1c1">.</span>findIndex<span style="color:#eceff4">(</span>s <span style="color:#81a1c1">=&gt;</span> s<span style="color:#81a1c1">.</span>sessionId <span style="color:#81a1c1">===</span> sessionId<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>index <span style="color:#81a1c1">!==</span> <span style="color:#81a1c1">-</span><span style="color:#b48ead">1</span><span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> sessions<span style="color:#81a1c1">.</span>splice<span style="color:#eceff4">(</span>index<span style="color:#eceff4">,</span> <span style="color:#b48ead">1</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>clearCookie<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;sessionId&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Session cleared&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Start the server </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> PORT <span style="color:#81a1c1">=</span> <span style="color:#b48ead">3000</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>listen<span style="color:#eceff4">(</span>PORT<span style="color:#eceff4">,</span> <span style="color:#eceff4">()</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> console<span style="color:#81a1c1">.</span>log<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Server is running on port <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>PORT<span style="color:#eceff4">}</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><h2 id="express-session">express-session</h2> <p>The code above is a great improvement, however in practice, instead of managing session ids ourselves, we&rsquo;d make use of express-session. Although general good practice is to avoid dependencies, when we&rsquo;re working with security related code, it&rsquo;s often advisable to use a trusted library since they will have already dealt with a lot of the edge cases and potential weaknesses.</p> <p>This is the case with <code>express-session</code> which does basically what we have above, but also deals with potential cross-site scripting, regenerates session id&rsquo;s to avoid fixation attacks, and signs the cookies to reduce the chance of session data being tampered with. express-session will also handle the storage for the key value pairs for us.</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> express <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> cookieParser <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;cookie-parser&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> session <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express-session&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> app <span style="color:#81a1c1">=</span> express<span style="color:#eceff4">();</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> cookie middleware </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>cookieParser<span style="color:#eceff4">());</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> session middleware </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span> </span></span><span style="display:flex;"><span> session<span style="color:#eceff4">({</span> </span></span><span style="display:flex;"><span> secret<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;REtKU9xyvahuHGd3&#34;</span><span style="color:#eceff4">,</span> <span style="color:#81a1c1">//</span> Replace with a strong secret key </span></span><span style="display:flex;"><span> resave<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> saveUninitialized<span style="color:#eceff4">:</span> <span style="color:#81a1c1">true</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> cookie<span style="color:#eceff4">:</span> <span style="color:#eceff4">{</span> secure<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span> <span style="color:#eceff4">},</span> <span style="color:#81a1c1">//</span> Set to <span style="color:#81a1c1">true</span> <span style="color:#81a1c1;font-weight:bold">if</span> using HTTPS </span></span><span style="display:flex;"><span> <span style="color:#eceff4">})</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Hello <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">}</span><span style="color:#81a1c1">!</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Hello stranger!&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to set a session <span style="color:#81a1c1;font-weight:bold">for</span> <span style="color:#a3be8c">&#39;Jane&#39;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/setuserjane&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">=</span> <span style="color:#a3be8c">&#34;Jane&#34;</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Session set for Jane&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to clear the session </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/clearuser&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>destroy<span style="color:#eceff4">((</span>err<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>err<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Error clearing session&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Session cleared&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Start the server </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> PORT <span style="color:#81a1c1">=</span> <span style="color:#b48ead">3000</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>listen<span style="color:#eceff4">(</span>PORT<span style="color:#eceff4">,</span> <span style="color:#eceff4">()</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> console<span style="color:#81a1c1">.</span>log<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Server is running on port <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>PORT<span style="color:#eceff4">}</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><h3 id="authentication-flow">Authentication flow</h3> <p>Everyone in the world by now is familiar with having to use a username and password to sign into a web app and use it. If we think about how that is going to work with the session ID, it would be something like this:</p> <ul> <li>When a user tries to access a route that needs authorisation, we check the session object to see if there&rsquo;s a logged in user attached to it.</li> <li>If there is, then the route is served, if not they are redirected to a log in page</li> <li>At the log in page, we take a username and password, and check it against an internal store. If they match, we update the session to identify the user</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>app.get(&#34;/&#34;, (req, res) =&gt; { </span></span><span style="display:flex;"><span> if (req.session.name) { </span></span><span style="display:flex;"><span> res.send(`Hello ${req.session.name}!`); </span></span><span style="display:flex;"><span> } else { </span></span><span style="display:flex;"><span> res.render(&#34;login.ejs&#34;); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>}); </span></span></code></pre></div><p>I&rsquo;m using the EJS templating system for this app because it will be handy for later. I&rsquo;m not going to explain it more here other than to say you can just imagine the above is loading the login form HTML. In fact, it just looks like this:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>&lt;!DOCTYPE html&gt; </span></span><span style="display:flex;"><span>&lt;html lang=&#34;en&#34;&gt; </span></span><span style="display:flex;"><span> &lt;head&gt; </span></span><span style="display:flex;"><span> &lt;meta charset=&#34;UTF-8&#34; /&gt; </span></span><span style="display:flex;"><span> &lt;meta name=&#34;viewport&#34; content=&#34;width=device-width, initial-scale=1.0&#34; /&gt; </span></span><span style="display:flex;"><span> &lt;title&gt;Login&lt;/title&gt; </span></span><span style="display:flex;"><span> &lt;/head&gt; </span></span><span style="display:flex;"><span> &lt;body&gt; </span></span><span style="display:flex;"><span> &lt;h1&gt;Login&lt;/h1&gt; </span></span><span style="display:flex;"><span> &lt;form action=&#34;/login&#34; method=&#34;post&#34;&gt; </span></span><span style="display:flex;"><span> &lt;div&gt; </span></span><span style="display:flex;"><span> &lt;label for=&#34;username&#34;&gt;Username:&lt;/label&gt; </span></span><span style="display:flex;"><span> &lt;input type=&#34;text&#34; id=&#34;username&#34; name=&#34;username&#34; /&gt; </span></span><span style="display:flex;"><span> &lt;/div&gt; </span></span><span style="display:flex;"><span> &lt;div&gt; </span></span><span style="display:flex;"><span> &lt;label for=&#34;password&#34;&gt;Password:&lt;/label&gt; </span></span><span style="display:flex;"><span> &lt;input type=&#34;password&#34; id=&#34;password&#34; name=&#34;password&#34; /&gt; </span></span><span style="display:flex;"><span> &lt;/div&gt; </span></span><span style="display:flex;"><span> &lt;button type=&#34;submit&#34;&gt;Login&lt;/button&gt; </span></span><span style="display:flex;"><span> &lt;/form&gt; </span></span><span style="display:flex;"><span> &lt;/body&gt; </span></span><span style="display:flex;"><span>&lt;/html&gt; </span></span></code></pre></div><p>This form posts to the /login route, which looks like this:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>post<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/login&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">,</span> password <span style="color:#eceff4">}</span> <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>body<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>username <span style="color:#81a1c1">===</span> <span style="color:#a3be8c">&#34;demo&#34;</span> <span style="color:#81a1c1">&amp;&amp;</span> password <span style="color:#81a1c1">===</span> <span style="color:#a3be8c">&#34;password&#34;</span><span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">=</span> username<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Logged in&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Invalid username or password&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><p>It extracts the user name and password from the body of the request (ie from the form). If they are a match, then it sets &ldquo;name&rdquo; in the session which signifies to the rest of the app that we are validly logged in.</p> <p>To log out, we just tell express-session to destroy the session:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>app.get(&#34;/logout&#34;, (req, res) =&gt; { </span></span><span style="display:flex;"><span> req.session.destroy((err) =&gt; { </span></span><span style="display:flex;"><span> if (err) { </span></span><span style="display:flex;"><span> res.send(&#34;Error clearing session&#34;); </span></span><span style="display:flex;"><span> } else { </span></span><span style="display:flex;"><span> res.send(&#34;Session cleared&#34;); </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> }); </span></span><span style="display:flex;"><span>}); </span></span></code></pre></div><h3 id="tidy-up">Tidy up</h3> <p>We just need a bit of refactoring before we move on. Currently our <code>/login</code> route only allows a single user, and is not great to read, let&rsquo;s change it to:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>post<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/login&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">,</span> password <span style="color:#eceff4">}</span> <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>body<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">))</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">=</span> username<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Logged in&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Invalid username or password&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><p>That&rsquo;s better, and for the isValidCredentials() we&rsquo;ll check against an array of objects like so:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> validCredentials <span style="color:#81a1c1">=</span> <span style="color:#eceff4">[</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;demo&#34;</span><span style="color:#eceff4">,</span> password<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;password&#34;</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Jane&#34;</span><span style="color:#eceff4">,</span> password<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;password&#34;</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Fred&#34;</span><span style="color:#eceff4">,</span> password<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;password&#34;</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">];</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>function isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">return</span> validCredentials<span style="color:#81a1c1">.</span>some<span style="color:#eceff4">(</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">(</span>cred<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> cred<span style="color:#81a1c1">.</span>username <span style="color:#81a1c1">===</span> username <span style="color:#81a1c1">&amp;&amp;</span> cred<span style="color:#81a1c1">.</span>password <span style="color:#81a1c1">===</span> password </span></span><span style="display:flex;"><span> <span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">}</span> </span></span></code></pre></div><p>If you haven&rsquo;t met the JavaScript <code>.some()</code> method, it&rsquo;s used to run a callback function against the elements in an array until it returns true or comes to the end of an array.</p> <p>We&rsquo;ve made a few changes, lets revisit the complete server.js code:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1">//</span> npm install cookie<span style="color:#81a1c1">-</span>parser express express<span style="color:#81a1c1">-</span>session </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> express <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> cookieParser <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;cookie-parser&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> session <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express-session&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> bodyParser <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;body-parser&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> app <span style="color:#81a1c1">=</span> express<span style="color:#eceff4">();</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Set up view engine </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>set<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;views&#34;</span><span style="color:#eceff4">,</span> <span style="color:#a3be8c">&#34;views&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>set<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;view engine&#34;</span><span style="color:#eceff4">,</span> <span style="color:#a3be8c">&#34;ejs&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>cookieParser<span style="color:#eceff4">());</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>bodyParser<span style="color:#81a1c1">.</span>urlencoded<span style="color:#eceff4">({</span> extended<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span> <span style="color:#eceff4">}));</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> session middleware </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span> </span></span><span style="display:flex;"><span> session<span style="color:#eceff4">({</span> </span></span><span style="display:flex;"><span> secret<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;REtKU9xyvahuHGd3&#34;</span><span style="color:#eceff4">,</span> <span style="color:#81a1c1">//</span> Replace with a strong secret key </span></span><span style="display:flex;"><span> resave<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> saveUninitialized<span style="color:#eceff4">:</span> <span style="color:#81a1c1">true</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> cookie<span style="color:#eceff4">:</span> <span style="color:#eceff4">{</span> secure<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span> <span style="color:#eceff4">},</span> <span style="color:#81a1c1">//</span> Set to <span style="color:#81a1c1">true</span> <span style="color:#81a1c1;font-weight:bold">if</span> using HTTPS </span></span><span style="display:flex;"><span> <span style="color:#eceff4">})</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Hello <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">}</span><span style="color:#81a1c1">!</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>render<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;login.ejs&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to clear the session </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/logout&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>destroy<span style="color:#eceff4">((</span>err<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>err<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Error clearing session&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Session cleared&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> validCredentials <span style="color:#81a1c1">=</span> <span style="color:#eceff4">[</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;demo&#34;</span><span style="color:#eceff4">,</span> password<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;password&#34;</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Jane&#34;</span><span style="color:#eceff4">,</span> password<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;password&#34;</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Fred&#34;</span><span style="color:#eceff4">,</span> password<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;password&#34;</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">];</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>function isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">return</span> validCredentials<span style="color:#81a1c1">.</span>some<span style="color:#eceff4">(</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">(</span>cred<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> cred<span style="color:#81a1c1">.</span>username <span style="color:#81a1c1">===</span> username <span style="color:#81a1c1">&amp;&amp;</span> cred<span style="color:#81a1c1">.</span>password <span style="color:#81a1c1">===</span> password </span></span><span style="display:flex;"><span> <span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>post<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/login&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">,</span> password <span style="color:#eceff4">}</span> <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>body<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">))</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">=</span> username<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Logged in&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Invalid username or password&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Start the server </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> PORT <span style="color:#81a1c1">=</span> <span style="color:#b48ead">3000</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>listen<span style="color:#eceff4">(</span>PORT<span style="color:#eceff4">,</span> <span style="color:#eceff4">()</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> console<span style="color:#81a1c1">.</span>log<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Server is running on port <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>PORT<span style="color:#eceff4">}</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><h4 id="plaintext-passwords">Plaintext passwords</h4> <p>It&rsquo;s a bad idea to ever store passwords in plaintext anywhere. A solution for this is to hash the password before storing it, then when we need to test a password a user has entered, we test the hash of the password the user has entered against the hashes we have stored. I&rsquo;m being very casual in my language here - I should probably be saying <em>salting</em> and <em>hashing</em>. For the purposes of this discussion the idea is to turn each password into gobbledygook in such a way it&rsquo;s not possible to turn it back into the password.</p> <p>We&rsquo;re going to use the <a href="https://www.npmjs.com/package/bcrypt">bcrypt</a> to do the heavy lifting for us since it&rsquo;s going to be more cryptographically sound than anything we could write.</p> <p>The encryption process is resource intensive, so these are going to be async operations.It&rsquo;s a small trade-off for the security we&rsquo;re adding.</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> bcrypt <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;bcrypt&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> validCredentials <span style="color:#81a1c1">=</span> <span style="color:#eceff4">[</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;demo&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> hashedPassword<span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a3be8c">&#34;$2b$10$MYd23sm2O1AuAU1l0sPV7enE.XkJpTYC4fga1Dm8Wx33u/8T.L9HC&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Jane&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> hashedPassword<span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a3be8c">&#34;$2b$10$MYd23sm2O1AuAU1l0sPV7enE.XkJpTYC4fga1Dm8Wx33u/8T.L9HC&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Fred&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> hashedPassword<span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a3be8c">&#34;$2b$10$MYd23sm2O1AuAU1l0sPV7enE.XkJpTYC4fga1Dm8Wx33u/8T.L9HC&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">];</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>async function isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> user <span style="color:#81a1c1">=</span> validCredentials<span style="color:#81a1c1">.</span>find<span style="color:#eceff4">((</span>cred<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> cred<span style="color:#81a1c1">.</span>username <span style="color:#81a1c1">===</span> username<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span><span style="color:#81a1c1">!</span>user<span style="color:#eceff4">)</span> <span style="color:#81a1c1;font-weight:bold">return</span> <span style="color:#81a1c1">false</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">return</span> await bcrypt<span style="color:#81a1c1">.</span>compare<span style="color:#eceff4">(</span>password<span style="color:#eceff4">,</span> user<span style="color:#81a1c1">.</span>hashedPassword<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>post<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/login&#34;</span><span style="color:#eceff4">,</span> async <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">,</span> password <span style="color:#eceff4">}</span> <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>body<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>await isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">))</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">=</span> username<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Logged in&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Invalid username or password&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><p>Okay, now we have a login system, with safeish password storage and session management so the user doesn&rsquo;t have to log in on every page.</p> <h3 id="persisting-sessions">Persisting sessions</h3> <p>One last thing before we wrap up this overly long post. Currently, if Jane is logged in, and the server is rebooted, when she returns, her session will have been eliminated. That&rsquo;s to say, her browser will pass the session id in it&rsquo;s cookie, but the server won&rsquo;t recognise it and will force her to log in again. That&rsquo;s not the end of the world (in fact a future improvement should probably be to expire sessions every now and then) but it would be nicer if the session information survived server reboots.</p> <p>By default, <code>express-session</code> uses a memory store, but this can be swapped out for other types of stores. Frequently, production apps will use a database of some kind to keep the session data, but for a single instance app with a hundred or so users a simpler system is just to use the host file system. Such a thing is built into express-session in the form of <code>session-file-store</code>.</p> <p>Implementing this is simple, we just need to declare a variable for the class, then include it in our initialisation of the session middleware.</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> FileStore <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;session-file-store&#34;</span><span style="color:#eceff4">)(</span>session<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> app <span style="color:#81a1c1">=</span> express<span style="color:#eceff4">();</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Set up view engine </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>set<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;views&#34;</span><span style="color:#eceff4">,</span> <span style="color:#a3be8c">&#34;views&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>set<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;view engine&#34;</span><span style="color:#eceff4">,</span> <span style="color:#a3be8c">&#34;ejs&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>cookieParser<span style="color:#eceff4">());</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>bodyParser<span style="color:#81a1c1">.</span>urlencoded<span style="color:#eceff4">({</span> extended<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span> <span style="color:#eceff4">}));</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> session middleware </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span> </span></span><span style="display:flex;"><span> session<span style="color:#eceff4">({</span> </span></span><span style="display:flex;"><span> secret<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;REtKU9xyvahuHGd3&#34;</span><span style="color:#eceff4">,</span> <span style="color:#81a1c1">//</span> Replace with a strong secret key </span></span><span style="display:flex;"><span> resave<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> saveUninitialized<span style="color:#eceff4">:</span> <span style="color:#81a1c1">true</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> cookie<span style="color:#eceff4">:</span> <span style="color:#eceff4">{</span> secure<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> store<span style="color:#eceff4">:</span> new FileStore<span style="color:#eceff4">({</span>logFn<span style="color:#eceff4">:</span> function<span style="color:#eceff4">(){}})</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">})</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">);</span> </span></span></code></pre></div><p>You don&rsquo;t need the business with <code>logFn</code>, that&rsquo;s just a hack to subdue the logs. Without it, express-session logs an error each time a session id arrives in a cookie and there&rsquo;s no corresponding file for it. That happens all the time when I&rsquo;m developing so I foolishly turn it off.</p> <p>Now every time a session is created, it will be stored as a text file of JSON in the sessions directory. When a browser makes a request, the express-session will check for a file matching the session id from the cookie, and load the session data from it if needed.</p> <p>Since express-session is now dealing with our cookies, we can eliminate cookie-parser.</p> <p>Here&rsquo;s where we&rsquo;re up to:</p> <div class="highlight"><pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> express <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> session <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;express-session&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> bodyParser <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;body-parser&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> bcrypt <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;bcrypt&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> FileStore <span style="color:#81a1c1">=</span> require<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;session-file-store&#34;</span><span style="color:#eceff4">)(</span>session<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> app <span style="color:#81a1c1">=</span> express<span style="color:#eceff4">();</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Set up view engine </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>set<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;views&#34;</span><span style="color:#eceff4">,</span> <span style="color:#a3be8c">&#34;views&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>set<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;view engine&#34;</span><span style="color:#eceff4">,</span> <span style="color:#a3be8c">&#34;ejs&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span>bodyParser<span style="color:#81a1c1">.</span>urlencoded<span style="color:#eceff4">({</span> extended<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span> <span style="color:#eceff4">}));</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> session middleware </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>use<span style="color:#eceff4">(</span> </span></span><span style="display:flex;"><span> session<span style="color:#eceff4">({</span> </span></span><span style="display:flex;"><span> secret<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;REtKU9xyvahuHGd3&#34;</span><span style="color:#eceff4">,</span> <span style="color:#81a1c1">//</span> Replace with a strong secret key </span></span><span style="display:flex;"><span> resave<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> saveUninitialized<span style="color:#eceff4">:</span> <span style="color:#81a1c1">true</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> cookie<span style="color:#eceff4">:</span> <span style="color:#eceff4">{</span> secure<span style="color:#eceff4">:</span> <span style="color:#81a1c1">false</span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> store<span style="color:#eceff4">:</span> new FileStore<span style="color:#eceff4">({</span>logFn<span style="color:#eceff4">:</span> function<span style="color:#eceff4">(){}})</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">})</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Hello <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name<span style="color:#eceff4">}</span><span style="color:#81a1c1">!</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>render<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;login.ejs&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Route to clear the session </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>get<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/logout&#34;</span><span style="color:#eceff4">,</span> <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>destroy<span style="color:#eceff4">((</span>err<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>err<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Error clearing session&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Session cleared&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> validCredentials <span style="color:#81a1c1">=</span> <span style="color:#eceff4">[</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;demo&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> hashedPassword<span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a3be8c">&#34;$2b$10$MYd23sm2O1AuAU1l0sPV7enE.XkJpTYC4fga1Dm8Wx33u/8T.L9HC&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Jane&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> hashedPassword<span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a3be8c">&#34;$2b$10$MYd23sm2O1AuAU1l0sPV7enE.XkJpTYC4fga1Dm8Wx33u/8T.L9HC&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> username<span style="color:#eceff4">:</span> <span style="color:#a3be8c">&#34;Fred&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> hashedPassword<span style="color:#eceff4">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a3be8c">&#34;$2b$10$MYd23sm2O1AuAU1l0sPV7enE.XkJpTYC4fga1Dm8Wx33u/8T.L9HC&#34;</span><span style="color:#eceff4">,</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">},</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">];</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>async function isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">)</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> user <span style="color:#81a1c1">=</span> validCredentials<span style="color:#81a1c1">.</span>find<span style="color:#eceff4">((</span>cred<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> cred<span style="color:#81a1c1">.</span>username <span style="color:#81a1c1">===</span> username<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span><span style="color:#81a1c1">!</span>user<span style="color:#eceff4">)</span> <span style="color:#81a1c1;font-weight:bold">return</span> <span style="color:#81a1c1">false</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">return</span> await bcrypt<span style="color:#81a1c1">.</span>compare<span style="color:#eceff4">(</span>password<span style="color:#eceff4">,</span> user<span style="color:#81a1c1">.</span>hashedPassword<span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>post<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;/login&#34;</span><span style="color:#eceff4">,</span> async <span style="color:#eceff4">(</span>req<span style="color:#eceff4">,</span> res<span style="color:#eceff4">)</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">const</span> <span style="color:#eceff4">{</span> username<span style="color:#eceff4">,</span> password <span style="color:#eceff4">}</span> <span style="color:#81a1c1">=</span> req<span style="color:#81a1c1">.</span>body<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> <span style="color:#81a1c1;font-weight:bold">if</span> <span style="color:#eceff4">(</span>await isValidCredentials<span style="color:#eceff4">(</span>username<span style="color:#eceff4">,</span> password<span style="color:#eceff4">))</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> req<span style="color:#81a1c1">.</span>session<span style="color:#81a1c1">.</span>name <span style="color:#81a1c1">=</span> username<span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Logged in&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> <span style="color:#81a1c1;font-weight:bold">else</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> res<span style="color:#81a1c1">.</span>send<span style="color:#eceff4">(</span><span style="color:#a3be8c">&#34;Invalid username or password&#34;</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span> <span style="color:#eceff4">}</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#81a1c1">//</span> Start the server </span></span><span style="display:flex;"><span><span style="color:#81a1c1;font-weight:bold">const</span> PORT <span style="color:#81a1c1">=</span> <span style="color:#b48ead">3000</span><span style="color:#eceff4">;</span> </span></span><span style="display:flex;"><span>app<span style="color:#81a1c1">.</span>listen<span style="color:#eceff4">(</span>PORT<span style="color:#eceff4">,</span> <span style="color:#eceff4">()</span> <span style="color:#81a1c1">=&gt;</span> <span style="color:#eceff4">{</span> </span></span><span style="display:flex;"><span> console<span style="color:#81a1c1">.</span>log<span style="color:#eceff4">(</span><span style="color:#bf616a">`</span>Server is running on port <span style="color:#81a1c1">$</span><span style="color:#eceff4">{</span>PORT<span style="color:#eceff4">}</span><span style="color:#bf616a">`</span><span style="color:#eceff4">);</span> </span></span><span style="display:flex;"><span><span style="color:#eceff4">});</span> </span></span></code></pre></div><h3 id="where-next">Where next?</h3> <p>It&rsquo;s been a bit of a trek to get to this point, so I&rsquo;m winding this up here, and we&rsquo;ll take it to the next level in a future post. Some of the next steps to explore are to move our secrets out of the source file, and to use <a href="https://www.npmjs.com/package/passport">Passport.js</a> like the two million other projects who downloaded it this week.</p>