skip to content
logo
Table of Contents

Implementing Secure OAuth Authentication in Node.js

Implementing robust authentication is critical for modern web applications. OAuth 2.0 provides a secure framework for authorization that can be efficiently implemented in Node.js applications.

This guide covers:

  • OAuth 2.0 fundamentals
  • Setting up OAuth with Express.js
  • Implementing secure token handling
  • Best practices for production applications

OAuth 2.0 Fundamentals

OAuth 2.0 is an authorization protocol that enables third-party applications to access resources on behalf of users without exposing credentials. Here’s how it works at a high level:

  1. User initiates authentication
  2. Application redirects to OAuth provider
  3. User authenticates with provider
  4. Provider redirects back with authorization code
  5. Application exchanges code for access token
  6. Application uses token for authorized requests

Setting Up OAuth in Express.js

First, let’s set up a basic Express application with the necessary dependencies:

const express = require('express');
const session = require('express-session');
const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2');


const app = express();


// Configure session management
app.use(session({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: { secure: process.env.NODE_ENV === 'production' }
}));


// Initialize Passport
app.use(passport.initialize());
app.use(passport.session());

Configuring OAuth Strategy

Next, configure the OAuth 2.0 strategy with your provider’s details:

passport.use(new OAuth2Strategy({
  authorizationURL: 'https://provider.com/oauth2/authorize',
  tokenURL: 'https://provider.com/oauth2/token',
  clientID: process.env.OAUTH_CLIENT_ID,
  clientSecret: process.env.OAUTH_CLIENT_SECRET,
  callbackURL: 'https://your-app.com/auth/callback'
},
function(accessToken, refreshToken, profile, done) {
  // Store tokens securely and retrieve or create user
  User.findOrCreate({ providerUserId: profile.id }, function (err, user) {
    // Store tokens in a secure way, never in the user object directly
    // Consider using a separate tokens table with encryption
    TokenStorage.saveTokens(user.id, { accessToken, refreshToken });
    return done(err, user);
  });
});

Implementing Authentication Routes

Set up the necessary routes to handle the authentication flow:

// Initiate authentication
app.get('/auth/login', passport.authenticate('oauth2'));


// Handle callback from provider
app.get('/auth/callback',
  passport.authenticate('oauth2', {
    failureRedirect: '/login'
  }),
  (req, res) => {
    // Successful authentication
    res.redirect('/dashboard');
  }
);


// Logout route
app.get('/auth/logout', (req, res) => {
  req.logout();
  res.redirect('/');
});

Secure Token Storage

Never store raw tokens in your database. Implement a secure token storage service:

const crypto = require('crypto');


class TokenStorage {
  static async saveTokens(userId, { accessToken, refreshToken }) {
    const encryptedAccess = this.encrypt(accessToken);
    const encryptedRefresh = this.encrypt(refreshToken);


    await db.tokens.upsert({
      userId,
      accessToken: encryptedAccess,
      refreshToken: encryptedRefresh,
      createdAt: new Date()
    });
  }


  static async getTokens(userId) {
    const tokens = await db.tokens.findOne({ where: { userId } });
    if (!tokens) return null;


    return {
      accessToken: this.decrypt(tokens.accessToken),
      refreshToken: this.decrypt(tokens.refreshToken)
    };
  }


  static encrypt(text) {
    const iv = crypto.randomBytes(16);
    const cipher = crypto.createCipheriv(
      'aes-256-gcm',
      Buffer.from(process.env.ENCRYPTION_KEY, 'hex'),
      iv
    );


    let encrypted = cipher.update(text, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    const authTag = cipher.getAuthTag().toString('hex');


    return `${iv.toString('hex')}:${authTag}:${encrypted}`;
  }


  static decrypt(text) {
    const [ivHex, authTagHex, encryptedText] = text.split(':');
    const iv = Buffer.from(ivHex, 'hex');
    const authTag = Buffer.from(authTagHex, 'hex');
    const decipher = crypto.createDecipheriv(
      'aes-256-gcm',
      Buffer.from(process.env.ENCRYPTION_KEY, 'hex'),
      iv
    );


    decipher.setAuthTag(authTag);
    let decrypted = decipher.update(encryptedText, 'hex', 'utf8');
    decrypted += decipher.final('utf8');
    return decrypted;
  }
}

Protecting Routes with Authentication

Create middleware to protect routes that require authentication:

function ensureAuthenticated(req, res, next) {
  if (req.isAuthenticated()) {
    return next();
  }
  res.redirect('/auth/login');
}


// Protected route example
app.get('/dashboard', ensureAuthenticated, (req, res) => {
  res.render('dashboard', { user: req.user });
});

Handling Token Refresh

Implement automatic token refresh to maintain persistent authentication:

async function refreshAccessToken(userId) {
  const tokens = await TokenStorage.getTokens(userId);
  if (!tokens) throw new Error('No refresh token available');


  const response = await fetch('https://provider.com/oauth2/token', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({
      grant_type: 'refresh_token',
      refresh_token: tokens.refreshToken,
      client_id: process.env.OAUTH_CLIENT_ID,
      client_secret: process.env.OAUTH_CLIENT_SECRET
    })
  });


  const newTokens = await response.json();


  if (!response.ok) {
    throw new Error('Failed to refresh token');
  }


  await TokenStorage.saveTokens(userId, {
    accessToken: newTokens.access_token,
    refreshToken: newTokens.refresh_token || tokens.refreshToken
  });


  return newTokens.access_token;
}

Security Best Practices

  1. Environment Variables: Store all sensitive values in environment variables
  2. HTTPS: Always use HTTPS in production
  3. CSRF Protection: Implement CSRF tokens for forms
  4. Rate Limiting: Add rate limiting to prevent brute force attacks
  5. Token Validation: Validate tokens on each request

Here’s an example of implementing CSRF protection:

const csrf = require('csurf');
const csrfProtection = csrf({ cookie: true });


app.use(csrfProtection);


// Add CSRF token to all rendered views
app.use((req, res, next) => {
  res.locals.csrfToken = req.csrfToken();
  next();
});

Production Deployment Considerations

When deploying to production, ensure:

  1. Secure Cookies:
app.use(session({
  cookie: {
    secure: true,
    httpOnly: true,
    sameSite: 'strict'
  }
}));
  1. Helmet for HTTP Headers:
const helmet = require('helmet');
app.use(helmet());
  1. Proper Error Handling:
app.use((err, req, res, next) => {
  console.error(err.stack);
  res.status(500).send('Something broke!');
});

Conclusion

Implementing OAuth 2.0 in Node.js provides robust authentication while keeping user credentials secure. By following the best practices outlined in this guide, you can create a secure authentication system that:

  • Protects user credentials
  • Securely stores and manages tokens
  • Handles token refresh automatically
  • Implements security best practices

This approach scales well for applications of any size and provides a solid foundation for more advanced authentication needs.