**Course Title:** Mastering Express.js: Building Scalable Web Applications and APIs **Section Title:** Authentication and Authorization **Topic:** Develop a user authentication system using Passport.js, including registration, login, and role management.(Lab topic) ### Introduction In the previous topics, we have covered the basics of authentication and authorization, including user authentication using Passport.js. In this lab topic, we will dive deeper into developing a comprehensive user authentication system using Passport.js, including registration, login, and role management. By the end of this topic, you will have a solid understanding of how to implement a secure and scalable authentication system in your Express.js applications. ### Prerequisites Before proceeding with this topic, ensure you have: 1. Completed the previous topics on authentication and authorization. 2. Familiarity with Mongoose and MongoDB for data modeling. 3. Basic understanding of Passport.js. ### Step 1: Setting up Passport.js To start with Passport.js, you need to install the required packages: ```bash npm install passport passport-local mongoose ``` Create a new file called `passport.js` and add the following code to configure Passport.js: ```javascript // passport.js const passport = require('passport'); const LocalStrategy = require('passport-local').Strategy; const mongoose = require('mongoose'); passport.use(new LocalStrategy({ usernameField: 'email', passwordField: 'password' }, (email, password, done) => { // Find user by email mongoose.model('User').findOne({ email: email }, (err, user) => { if (err) return done(err); if (!user) return done(null, false, { message: 'Incorrect email or password' }); user.comparePassword(password, (err, isMatch) => { if (err) return done(err); if (!isMatch) return done(null, false, { message: 'Incorrect email or password' }); return done(null, user); }); }); })); passport.serializeUser((user, done) => { done(null, user.id); }); passport.deserializeUser((id, done) => { mongoose.model('User').findById(id, (err, user) => { done(err, user); }); }); module.exports = passport; ``` ### Step 2: Creating User Registration Create a new file called `users.js` and add the following code to create a user registration route: ```javascript // users.js const express = require('express'); const router = express.Router(); const mongoose = require('mongoose'); const passport = require('./passport'); // Create a new user router.post('/register', (req, res) => { const { name, email, password } = req.body; mongoose.model('User').create({ name, email, password }, (err, user) => { if (err) return res.status(500).send({ message: err.message }); return res.send({ message: 'User created successfully' }); }); }); module.exports = router; ``` ### Step 3: Implementing User Login Create a new file called `login.js` and add the following code to implement user login: ```javascript // login.js const express = require('express'); const router = express.Router(); const passport = require('./passport'); // Login route router.post('/login', passport.authenticate('local'), (req, res) => { return res.send({ message: 'Logged in successfully' }); }); module.exports = router; ``` ### Step 4: Role Management To implement role management, you can add a `role` field to your user schema: ```javascript // user.js const mongoose = require('mongoose'); const userSchema = new mongoose.Schema({ name: String, email: String, password: String, role: { type: String, enum: ['admin', 'user'] } }); const User = mongoose.model('User', userSchema); module.exports = User; ``` You can then use middleware to restrict access to certain routes based on user roles: ```javascript // middleware.js const express = require('express'); const adminMiddleware = (req, res, next) => { if (req.user.role !== 'admin') { return res.status(403).send({ message: 'Forbidden' }); } next(); }; module.exports = adminMiddleware; ``` ### Example Use Case Here's an example of how you can use the authentication system: ```javascript // index.js const express = require('express'); const app = express(); const passport = require('./passport'); const users = require('./users'); const login = require('./login'); app.use(express.json()); app.use(passport.initialize()); app.use('/users', users); app.use('/login', login); app.get('/protected', passport.authenticate('local'), (req, res) => { return res.send({ message: 'Hello, ' + req.user.name }); }); app.listen(3000, () => { console.log('Server started on port 3000'); }); ``` ### Conclusion In this lab topic, we have developed a comprehensive user authentication system using Passport.js, including registration, login, and role management. You now have a solid understanding of how to implement a secure and scalable authentication system in your Express.js applications. **What's next?** In the next topic, we will cover the principles of RESTful API design. **Leave a comment/ask for help** If you have any questions or need further clarification on any of the topics covered in this lab topic, please leave a comment below. We'll be happy to help. **External Resources** * [Passport.js Documentation](http://passportjs.org/docs) * [Mongoose Documentation](https://mongoosejs.com/docs/) * [Express.js Documentation](https://expressjs.com/en/guide.html) **Self-Assessment Questions** 1. What is the purpose of the `serializeUser` function in Passport.js? 2. How do you restrict access to certain routes based on user roles? 3. What is the difference between authentication and authorization? **Answer Key** 1. The purpose of the `serializeUser` function is to determine what data from the user object should be stored in the session. 2. You can use middleware to restrict access to certain routes based on user roles. 3. Authentication is the process of verifying the identity of a user, while authorization is the process of determining what actions an authenticated user can perform.