javascript - How to properly use Passport.js? -


i using :

  • node.js
  • express 4.0
  • passport.js
  • google oauth 2 authentication

for each user, store in mysql db (i don't have choice regarding technology) info google profile (email etc...), access & refresh tokens, , additionnal info user provides when registers on app.

i have seen different uses of passport.js, regarding how info stored in session.

  1. on passport.js's configure page, don't understand point of following block of code :

    passport.deserializeuser(function(id, done) {   user.findbyid(id, function(err, user) {     done(err, user);   }); });

    basically, each time user makes request, or visits page, there's request db , information retrieved. point ? slows app lot. shouldn't info db retrieved when serializeuser called (ie. when info stored in session) ?

  2. i have read storing too much info in session can slow app. "too much" ? how slow app ? know if there tests somewhere ? app's pages require different set of data user (for example, homepage need name whereas profile page need everything, page need know cars owns etc...). should store info in session when passport.authenticate checks if user exists in db (thus limiting read-requests db approximately one), or store in session id , have pages make additionnal requests db when necessary ?

  3. another issue have : in registration process, first have user log in on google account, store profile's details somewhere, have him fill form additionnal info, , insert in db. problem don't know how store google account details until inserted db. moment, store them in session, , delete when insertion successful. more specifically, when no existing user found in db, do, in passport.authenticate callback:

    return done(null,false,userinfo);

    thus, user not authenticated , have 2 issues : have store userinfo somewhere until user registered , have log him "manually" using req.login() after registration complete.

    should allow him authenticated logs in on google account ? wouldn't cause security issues me if not complete registration ?

  4. lastly, have read using reddis. me these issues ?

thank !

1) serializeuser filtering data , storing in session cookie. store less in cookie if can. going call db data user anyways can store id used retrieve , reconstruct user, seen in deserializeuser.

request coming in cookie provided server client, server deserializes cookie data, either decrypting cookie content or retrieving user data db. response headed out server serializes client data, scraping off things wouldn't store in cookie , putting them in db, leaving id in cookie.

if doing encryption can screwed when want scale running multiple machines each need able decrypt data (not hard, unnecessary complexity)

having unencrypted data lying in cookie isn't best, , besides in cookie can add inkling of bandwidth usage user.

2) database calls should fast, if aren't going have suffering user experience elsewhere anyways. in other words, strong opinion there overwhelming argument staying away cookies.

consider cookies sent each request; smarter to, instead of shoving data session , having add overhead, have user data load temporarily (cached) bit after user makes request, , have neither database calls nor overhead cookie while user actively on site.

honestly should fine @ first without caching. focus on getting app minumum complexity. way can modify according user feedback faster , have fewer mistakes.

3) when played passport had similar issue. let passport job , grant passport-level-verification user (so yes logged in), more data collection separately. if concerned security make passport-level verification not logged in, , require more data before upgrading logged in.

i off mark one, that's recommendation.

4) redis times when have multiple node instances , want store in memory (say counter, or cached user data). way don't have variables in node code holding onto cached data user, node instance can't take advantage of when user comes , load balancer shoots them different instance. http://www.ourdailycodes.com/2013/09/redis-when-should-i-use-it.html

edit: should add session uses cookie, gives user unique token server understands, server can re-gather user's session data when connection received accompanying session token. understanding correct way session work... varies implementation (someone correct me if wrong here).


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more