Session-based authentication in Sails

Summary

In this section, we address the security concern of unauthorized users being able to create or delete articles in our blog application. To prevent this, we implement a basic authentication system:

1. Create a user model: We generate a User model with email and password fields, ensuring the email is unique.

2. Set up a default admin user: Using bootstrap.js, we create a default admin user when the application starts if no users exist.

3. Build a login system:

   • Create a login page (login.ejs) with a form for email and password.

   • Implement a login action to authenticate users and set a session upon successful login.

4. Test the login flow: Verify that the session is set correctly after logging in.

This sets the foundation for adding authorization checks in the next lesson to restrict access to sensitive actions like creating or deleting articles.

Transcript

Hey, as we’re wrapping up this course, there’s something that still bugs me. If you visit our blog right now—let’s open it in Firefox and go to localhost:1337—you’ll see that anyone can add or delete articles. If we deploy this blog as-is, anyone on the internet could do the same. To prevent this, we need to set up a default password for the blog owner, allowing only authorized users to create or delete articles.

Here’s how we’ll do it:

1. Create a user model:

   • Run sails generate model user.

   • Define the User model with email (type string, unique) and password (type string, required).

   // In api/models/User.js  
   module.exports = {  
     attributes: {  
       email: { type: 'string', required: true, unique: true },  
       password: { type: 'string', required: true }  
     }  
   };  

2. Set Up a default admin user:

   • In config/bootstrap.js, add logic to create a default admin user if no users exist:

     await User.create({  
       email: 'admin@blog.com',  
       password: 'password'  
     });  

3. Build a login page:

   • Create a login.ejs file in views/pages/user/.

   • Add a form to submit email and password to /user/login.

   <h1>Admin Login</h1>  
   <form action="/user/login" method="POST">  
     <input type="text" name="email" placeholder="Email Address">  
     <input type="password" name="password" placeholder="Password">  
     <button type="submit">Login</button>  
   </form>  

4. Implement the login action:

   • Generate the login action: sails generate action user/login.

   • In login.js, authenticate the user and set a session:

     const { email, password } = inputs;  
     const adminUser = await User.findOne({ email });  
     
     if (!adminUser) {  
       return exits.notFound('User not found');  
     }  
     
     if (adminUser.password === password) {  
       this.req.session.userId = adminUser.id;  
       return exits.success({ redirect: '/' });  
     }  

5. Test the login flow:

   • Run sails lift and navigate to /login.

   • Enter the admin credentials (admin@blog.com, password).

   • Verify the session is set by checking this.req.session.userId.

Next Steps:

• In the next lesson, we’ll add authorization checks to restrict access to sensitive actions (e.g., creating or deleting articles) to logged-in users only.

This sets up a basic authentication system, ensuring only authorized users can perform critical actions