How to create a single admin user without registration and all the other stuff typically seen in an authentication workflow?
I am developing a simple product catalogue in nodejs. Nothing spectacular, basically a standard express site with some forms for crud operations of the products. Now those forms should only be visible to the admin so just one single account.
I have used passportJS so far but the way it would be now is:
- Create the registration form
- Have the registered user (the admin) have access to everything
- Delete the registration functionality and form from the site
Thats not how this is supposed to work is it? ;) I just need a single admin user to access the forms. nothing else.
How can I add that user while still being secure? I was thinking to use authentication and login form setup with PassportJS and inject the user directly via the Mongoshell. I am just honestly to inexperienced to know if that is the totally wrong/insecure approach or not.
Any pointers would be highly appreciated since every single tutorial I have come across so far "only" shows how to create the whole register/login system.
3.4K+ developers have started their personal blogs on Hashnode in the last one month.
Write in Markdown · Publish articles on custom domain · Gain readership on day zero · Automatic GitHub backup and more
If there is only one admin, you could just have basic authentication over ssl.
Or store a hash of a salted password in your backend code and create a simple just-password-login form that stores something in the session that expires in, say 30 minutes. You can even create a small "binary" that stores a given password as a salted hash in a separate file and include/require that in the config.
I would recommend doing what I do... search Google for something like, "npm passport express tutorial" or "express mongo user authentication tutorial". That will always result in some awesomesauce tutorial (most often, accompanied by a git repo.)
I'm not sure, but PassportJS doesn't seem necessary for this.
Maybe just use plain user authentication, starting the app off by checking for a user via Mongoose/Express, and if there is none, just having the initial user create an account with an email and password.
I have been searching for the past few days but the only "lightweight" solutions I came across had the username and password hard-coded into the app which seems pretty insecure or not?
I also feel passportJS is overkill for this kind of functionality and honestly quite surprised there aren't any tutorials on it since it seems a very normal use-case scenario.
Well I suppose I just need to learn more to be able to set it up that way :) I will try n look up more stuff related to the way you put it, thanks for that :)
Check out my Express repo. Tear out what's not needed and redo the Profile page (which has an experimental Admin/User toggle when you click on the name of the role - plus there are RPG elements to the user model, because that's how I keep it entertaining.) lol
There's a clean and secure user registration/authentication system there, and you can just write your own Middleware to control the user registration, then access to forms, etc. Clone it, customize it, and make it your own (which is also my purpose for the repo, in general.) It also uses bcrypt for hashing/salting the passwords.
PassportJS is cool, but I honestly don't see any use for it unless you're getting into Facebook/Github/LinkedIn login options - or connecting to an API as a user. For example, I have a similar clone of the repo above, but it uses PassportJS for Steam so gamers can log into their SteamIDs and pull the related JSON files for item inventory, etc.