Authentication - pmvdbijl7/matching-app GitHub Wiki

Like almost every other application, we have implemented authentication in our project. By "authentication" we mean registering and logging into the application. Users can create an account and then log in with his/her created data. When they have done this, they gain access to the application and can use the various functionalities that visitors who are not logged in cannot use.

How did we implement this?

The way we have implemented these functionalities is not entirely difficult. For example, we have also placed comments in our code to make it clear to ourselves what and where something happens. Although it is also easy to determine what is happening in the code.

Register

When we register a user, we want to have their name, email address and password. We then store this information in the database. The password is also compressed to a hashed password so that you cannot see what a user's password is in the database. When a user is successfully registered, he gets redirected to the login page so that he can log in with the account just created. When something goes wrong, the will show an error. See the following code below:

// Hash Password
const salt = await bcrypt.genSalt(10);
const hashedPassword = await bcrypt.hash(req.body.password, salt);

// Create New User
const user = new User({
    name: req.body.name,
    email: req.body.email,
    password: hashedPassword,
});

user.save()
    .then((user) => {
        // Redirect to Sign In
        res.redirect('/signin');
    })
    .catch((err) => {
        res.send(err.message);
    });

Login

A user can log in in two different ways. With an account he/she just created. Or by logging in with his/her Google account. With both login methods, an "accessToken" is created with which the user can show the application that he/she has access to all pages and functionalities of the application. When the user then clicks on logout, this accessToken is removed and they have to log in again to access the application.

// Check if Email Address is Correct
const user = await User.findOne({ email: req.body.email });
if (!user) return res.status(400).send('Your email address is wrong.');

// Check if Password is Correct
const validPass = await bcrypt.compare(req.body.password, user.password);
if (!validPass) return res.status(400).send('Your password is wrong.');

// Create accessToken and Assign to Cookie
const accessToken = jwt.sign({ _id: user._id }, process.env.JWT_KEY);
res.cookie('accessToken', accessToken);

// Check if User has already selected his/her gender
if (!user.gender) {
    res.redirect('/signin/preferences');
} else {
    res.redirect('/');
}

As you can see in the code above, the application first checks whether the email address with which the user is trying to log in exists. And then he checks whether the password has been entered correctly. If one of these two checks is not correct, the application will display an error message. But if they are correct, an accessToken is created for the user and he/she is linked to the homepage or a page where the user can enter his/her preferences. (This is determined by seeing if the user has already selected his/her gender.)

For an explanation of the Google login method check the section about PassportJS.