Documentation v2.0.1

Authentication

Express Sweet has built-in passport authentication middleware for user authentication by username and password.
You can immediately start user authentication in your application using the authentication configuration file and the authentication service module.

For more information about passport, click here.

If an unauthenticated user makes a request to a URL that allows access only if authenticated, the user will be redirected to the page specified by failure_redirect.
If that access is asynchronous, a 401 error is returned.

Configuration

The user authentication configuration is defined in the config/authentication.js file.

Click here to download a sample ESM configuration and
here to download a sample CJS configuration.

Explanation of Values

Name Config	Description
`enabled: boolean`	Set to true to enable user authentication using Passport middleware. User authentication is enabled (`true`) by default.
`session_store: 'memory'\|'redis'`	The session store instance, defaults to a new MemoryStore(`memory`) instance.
`cookie_name?: string\|undefined`	The name of the session ID cookie to set in the response (and read from in the request). The default value is `connect.sid.`
`cookie_secure?: boolean\|undefined`	Specifies the boolean value for the `Secure` Set-Cookie attribute. The default is `true`, which sets the `Secure` attribute on the cookie.
`cookie_httpOnly?: boolean\|undefined`	Specifies the boolean value for the `HttpOnly` Set-Cookie attribute. Defaults to `true`, which sets the `HttpOnly` attribute on the cookie.
`redis_host?: string\|undefined`	If the session is stored in `"redis"`, this field is required and should be set to the hostname of the Redis server. For example, to connect to redis on localhost on port `6379`, set `"redis://localhost:6379"`. To connect to a different host or port, use a connection string in the format `"redis[s]://[[username][:password]@][host][:port][/db-number]"`. For example, `"redis://alice:foobared@awesome.redis.server:6380"`.
`username: string`	The login username field name used for authentication. This should be set to the same value as the user field name in the POST body sent to the server and the user example name in the login user table.
`password: string`	The login password field name used for authentication. This should be set to the same value as the password field name in the POST body sent to the server and the password column name in the login user table.
`success_redirect: string`	The URL to redirect to after successful authentication. The default is the root URL (`/`).
`failure_redirect: string\|((req: express.Request, res: express.Response) => string)`	Specify the URL to redirect after logging out, or the URL to redirect when the logoff user requests a URL that only the logged-in user can access. This usually specifies the URL of the login page. The default is `/login`. `// Set the URL to redirect to in case of login failure as a string. failure_redirect: '/login', // Dynamically set the url to redirect to on login failure. failure_redirect: (req, res) => { // If the role stored in the cookie is admin, redirect to the admin login screen. return req.cookies.role === 'admin' ? '/adminlogin' : 'login'; },`
`authenticate_user: (username: string, password: string, req: express.Request): Promise<object\|null>`	This hook is called when authenticating a user. Please find the user information that owns the credentials based on the user name and password you received and return it. If the user who owns the credentials cannot be found, return null. Note that the user information must include an ID value that can identify the user. The following example uses the user model to find the user who owns the credentials based on the username and password. `authenticate_user: async (username, password, req) => { const UserModel = require('../models/UserModel'); return UserModel.findOne({ where: { email: username, password }, raw: true }); }`
`subscribe_user: (id: number): Promise<object>`	This hook is called when user authentication is successful. Please search and return the authenticated user information to be set in the session based on the user ID of the parameter. The returned data will be set in the req.user property and the view's session variable. The following example uses the user model to return the user information that owns the credentials based on the authenticated user's id. `subscribe_user: async (id) => { const UserModel = require('../models/UserModel'); return UserModel.findOne({ where: { id }, raw: true }); }`
`allow_unauthenticated: (string\|RegExp)[]`	By default, it requires an authenticated user for all requests. You can use the `allow_unauthenticated` option to disable this behavior on certain requests. For example, if you don’t want to authenticate all requests that contain `api` in the URL, set `allow_unauthenticated` as follows. `allow_unauthenticated: ['/api']` You can also use regular expressions. `allow_unauthenticated: [/^\/api/]`
`expiration: number`	Specifies the time, in milliseconds, before the session expires. The default is 24 hours (`86400000` milliseconds).