Node.js Authentication

[fireblade]

I'm developing a web application using node.js for home automation using raspberry pi.
As I have to open the web page to the outside, I would like you to advise me what is the best and secure way to do the user authentication to avoid not authorized people to enter the main web page that controls something in the house (ex. Switch on/off the heater).

[Heater]

fireblade,

I have a bare shell of a node.js web server that implements user authentication using the passport authentication module: https://github.com/ZiCog/secure_express ... /server.js
Just run it as $ node server.js

It implements user registration and login pages and stores user credentials in a rethink database. Every thing is done over HTTPS secured with a self signed certificate. You could probably take that as a starting point. You can replace the rethink database with whatever you like as all the handling of that is in a separate module.

You will want to use HTTPS else you have no security. Getting those keys to work can be a pain. I have another working demo that shows how to make your own self signed certificates: https://github.com/ZiCog/node-tls-example

Basically my secure server demo is built from the advice in the presentation "Authentication of Express Node js Applications" by Jason Diamond, https://www.youtube.com/watch?v=twav6O53zIQ with extra input from Scott Smith http://scottksmith.com/blog/2014/09/21/ ... th-helmet/

Passport documentation is here: http://passportjs.org/

The thing about passport is that you can use it to verify credentials using a facebook, google, twitter account or many others, which saves you having to keep your own user database. I have not tried that yet. I wanted to see how to do it all myself. There are code examples for using passport with all those. Means less code to write for you. None of their examples use HTTPS though as far as I can tell.

If you have any questions about using my demo do ask. I will add any answers to the github README.