View the Github address of demo in this document

One, foreword

At present, the mainstream user authentication methods are token-based and session-based.


Second, based on session



1. The user enters his/her login information

2. The server validates the user information, creates a session and stores it in the database

3. The server creates a sessionid for the user and saves the cookie with the sessionid in the browser

4. Each subsequent request will be accompanied by cookies with sessionID. The server will verify the cookies stored in the database and accept the request if they are valid

5. Once the user logs out of the application, the session is destroyed on both the client and server


Token-based User Authentication (JWT)



1. The user enters his/her login information

2. The server verifies the user information and returns the signed token

3. The token is stored in a browser, such as a cookie

4. Each subsequent request carries the token in the cookie

5. The server decodes the JWT and accepts the request if the token is valid

6. Once the user logs out of the application, the cookie is only destroyed in the browser, and the server does not store any session data. In other words, the server does not store any session data, that is, the server becomes stateless, making it easier to expand.


Fourth, asymmetric encryption algorithm and symmetric encryption algorithm

When the browser sends the user name and password to the server, the password must be encrypted to prevent password leakage. What an algorithm is, you can think of it as a rule that transforms information from one form to another.

1. Symmetric encryption algorithm

Symmetric encryption algorithm is used earlier encryption algorithm, technology mature. In a symmetric encryption algorithm, the sender converts the plaintext (raw data) and the encryption key into complex encrypted ciphertext after a special encryption algorithm. After receiving the ciphertext, the recipient needs to decrypt the ciphertext using the used encryption key and the inverse algorithm of the same algorithm to restore the ciphertext to readable text if it wants to read the original text. In symmetric encryption algorithm, only one key is used. Both sender and receiver use this key to encrypt and decrypt data, which requires that the decryptor must know the encryption key in advance.

Plaintext <-> key <-> ciphertext

2. Asymmetric encryption algorithm

Public-key encryption, also known as asymmetric encryption, a type of cryptography algorithm in which a pair of keys is required, one private (private key) and the other public (public key). The information encrypted by a user’s key can be decrypted only by using the user’s key. If you know one, you can’t figure out the other. Therefore, the disclosure of one pair of keys does not compromise the secret nature of the other pair. A public key is called a public key; The private key is the private key.

Plaintext + Public key -> Ciphertext -> Ciphertext + Private key = plaintext


Therefore, asymmetric encryption is a better encryption algorithm than symmetric encryption, of course, algorithms have pros and cons, symmetric encryption is fast but less secure than asymmetric encryption, why, you think, in order to use symmetric encryption, then each individual sharing information needs to share the key, For example, if 1,000 of you use the same key for ciphertext transmission, as long as one of your keys is stolen, the whole encrypted message will be cracked.

V. Solutions

In this project, the user name and password need to be encrypted when a user logs in. RSA asymmetric encryption is used here.

  • Public private key: Public private key of OpenSSL (Node Crypto module restriction)
  • Front end: jsENCRYPT library encryption
  • Back-end: Node Crypto module


Use OpenSSL to generate public and private keys

1, open Terminal– CD to MyCert

2. Enter OpenSSL on the terminal



3. Generate a private key



4. Convert the RSA private key to THE PKCS8 format. If prompted for a password, leave the password blank (enter).



5. Generate public keys



6. The private key public key file has been generated in myCert folder




7. Use the JsENCRYPT library to encrypt the front end

For a demo of this article click here



PUB_KEY is the public key file myCert/rsa_public_key.pem generated in the first step of openSSL, which is directly copied to use



8. Decrypt the Node crypto module



Note:

Fs.readfilesync () to read the private key file

(2) Generate tokens using user information (except password), which is only used to query user information to the database or back-end microservices

JWT (JSONWebToken) generates token tokens



Note: JWT_SECRET can be a custom string to “salt” the encryption algorithm



The token is then successfully generated and stored in a browser cookie

Encapsulate tokenMiddleWare to verify tokens

Every time the browser sends a request to the routing middleware of the Node layer to process services, it needs to verify the token carried in the request. If the request passes, the corresponding service logic is executed





Note: The cleanToken method is used to log out and clear the browser token