What's the best way to authenticate and authorize a web and api solution like MERN Stack?

问题

I'm trying to find the best way to implement authorization. At this time, only thing I need is a simple free account, but later I may include user roles for a "premium" account using a payment system like stripe.

I have already started reading and experimenting with Auth0 but then found some other ways I can do it.

1. Passport.js + MongoDB, I've seen some examples and work great but I think it is missing a way to control users, rules etc with a friendly panel (like Auth0)
2. Using Auth0 and setting up a custom database (mongoDB). Also seems to be behind a paywall.
3. Also found a way to use both Auth0 for authentication and Mongoose for a MongoDB database. In this one, everything is saved in mongoDB except passwords. It's also the only setup that deleting a user from Auth0 is not affecting the MongoDB (which is bad I guess).

So, some questions are

1. which method you think is better?
2. What is the difference between 2 and 3,
3. Is there a way to implement rules in passport (e.g. redirect new users on first login)
4. If I implement Passport with MongoDB, and my database has hundreds of users, how can I manage them?

A bit of a chaos question but any help would be helpful

回答1:

The best authorization strategy depends of the scope of your applications in a short or long term.

Monolithic or simple web with Private login

For example, if you will have just a simple(MERN) web with a one simple backend (api rest) or a monolithic application like this mern example with an internal or private login in your organization, your authorization strategy could be as simple as :

• (1*) /login express route which receive user/password, validate them in database and returns the clasic jwt token and an array of options (react routes) to which the user should have access
• web app (react) must render pages whose routes match with the received routes
• web app must send the received token to any api rest endpoint invocation
• when api receive the invocation from react web, must validate the existence of token as a header. If not exist, must return a 403 error.
• (2*) If token exist, must try to validate it (well-formed, not expired, correct signature, etc).
• (3*)If its is a valid token, you must perform a last validation: Is user with "guest" role allowed to execute a DELETE to an endpoint /user/100.
• (4*) Classic solution is to have some tables in your database like: user, roles, user_roles, role_permission, permission_option. Option table must have registered all your api endpoints and its method. Also this could be used to create the relation between user <:> web routes. Check this

Modern requirements

Modern and large organizations require:

• Social Network Logins
• Internal/External Users
• Not interactive logins (robots, schedulers, etc)
• Several web apps
• Several Mobile apps
• A lot of Api Rest

For this case, MERN app is not a good choice because is ALL-IN-ONE. Common strategy to implement the previous requirements is to have several artifacts deployed in several servers:

• web app (react, vue, angular, linkstart, etc)
• apis rest (nodejs + expres, java, python, etc)
• authentication/authorization: oauth2 platform/provider, Identity/Access Platforms, etc

If this is your case, you must split your MERN app into several deployable artifacts: web, api and security.

Oauth2

No matter if you are concern just for login or how ensure the authentication and authorization for your webs, apis and maybe your mobile apps, you will need : OAUTH2

You could develop your own security platform taking into consideration (1*), (2*), (3*) y (4*) or use something like:

• auth0
• keycloack, etc

More details here: https://stackoverflow.com/a/62049409

Your questions

• which method you think is better?
  • I think if you will use auth0, you will save time and effort. With auth0 you just need a simple express app, with some endpoints like /login, /callback, etc. Or if you use auth0 + passport.js, these endpoints are managed by passport.js
  • I advice you , review how OAUTH2 flow works before to use auth0 with/without passport. This link helped me a lot.
• What is the difference between 2 and 3,
  • As I read, auth0 and another platforms offer a user management service or it can connect to your users service (AD/LDAP, database, api, etc). So
• Is there a way to implement rules in passport (e.g. redirect new users on first login)
  • Yes. You can add some logic when callback is redirected in your nodejs with or without passport.
• If I implement Passport with MongoDB, and my database has hundreds of users, how can I manage them?
  • Nowadays database support a lot of rows. So for your production database try to optimize or monitor it. Another option is to hire a database administrator to perform these tasks.

References

• https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
• https://auth0.com/user-management
• https://stackoverflow.com/a/62049409
• https://fiware-tutorials.readthedocs.io/en/latest/roles-permissions/index.html
• https://dba.stackexchange.com/questions/36935/best-relational-database-structure-for-this-data
• https://www.mind-it.info/2010/01/09/nist-rbac-data-model/
• Managing single sign on using passportjs for my own web applications - sharing login
• https://aws.amazon.com/blogs/apn/how-to-integrate-rest-apis-with-single-page-apps-and-secure-them-using-auth0-part-1/
• Facebook OAuth security using passport-facebook
• Asynchronous Django, Ajax, Jquery Information
• relational models

来源：https://stackoverflow.com/questions/63090853/whats-the-best-way-to-authenticate-and-authorize-a-web-and-api-solution-like-me