Skip to content
youhoc
  • Pages
    • Home
    • Modern App Guidelines
    • Linux
      • Day 1: Linux Distributions & Navigation
      • Day 2: User Management
      • Day 3: File Permission & Ownership
      • Day 4: Package Management
      • Day 5: Services Management
    • Javascript
      • JS The Weird Part
        • Execution Context
        • Types & Operators
        • Objects & Functions
        • Error Handling & Strict Mode
        • Typescript, ES6, Tra
      • Modern JS
        • JS in the Browser
        • Data Storage JSON
        • Modern JS
        • Advanced Objects & Methods
        • Webpack & Babel
        • Async
      • jQuery
        • In-depth Analysis of jQuery
      • React-ready JS
        • Arrow Function
        • Template Literals
        • Logical AND, OR, Ternary, Nullish Operators
        • Destructuring & Rest Operator
        • Array Method
        • Immutability and Spread Operator
        • Promises, Async/Await, Callback
    • PHP
      • gruntJS
      • composer
      • MySQL
    • Docker
      • Container Basics
      • Container Networking
      • Container Image
      • Container Volume & Persistent Data
      • Dockerfile
      • Docker Compose
      • Docker Registry
    • Node.js
      • Installing & Exploring
      • Loading Modules
      • npm - Get Command Input
      • Web Server
        • Express Web Server
        • Template Engine & MVC
      • File System & Input Arguments
      • 6. Deploy to Heroku & Github
      • Authentication
      • 7. Databases
      • 8. Rest API
      • Errors
      • Sequelize
    • ReactJS
      • React from Andrew
        • Summary from Next
        • 1. Basics
        • 2. React Components
        • 3. Webpack
        • 4. Styling with SCSS
        • 5. React Router
        • 6. React Hook
      • Modern React From The Beginning
        • Intro to JSX
        • Vite Build Tools
        • Basic Component Creation
        • Component State
        • Props & Component Composition
        • useState with Inputs & Form Submission
        • useEffect, useRef & Local Storage
        • Async / Await and Http Request in React
        • React Router: Declarative Mode
        • ContextAPI
        • React Router: Framework Mode
          • File-routing & HTML Layouts
          • Server-side Data Query
          • Links & Navigation
          • Loaders
    • Typescript
      • Type User vs UserProp
    • Payload CMS
    • Authentication
youhoc
/
Authentication

Authentication

STEP 1: USER VISITS LOGIN PAGE
─────────────────────────────────
GET /login
getLogin controller executes
├─ Check req.session.userId exists?
│ ├─ YES → isLoggedIn = true
│ └─ NO → isLoggedIn = false
Render login.ejs with isLoggedIn flag
User sees login form
STEP 2: USER SUBMITS CREDENTIALS
─────────────────────────────────
POST /login (email + password in body)
postLogin controller executes
├─ Query User table: WHERE email = req.body.email
│ ├─ NO MATCH → Log error, redirect /login
│ └─ MATCH → Proceed to password check
Validate password: bcrypt.compare(req.body.password, user.password)
├─ FALSE → Password incorrect, redirect /login
└─ TRUE → Proceed to session creation
Regenerate session (prevent session fixation)
req.session.regenerate((err) => { ... })
Store userId in session
req.session.userId = user.id
Save session to MySQL store
req.session.save((err) => { ... })
Redirect to home (/)
res.redirect('/')
STEP 3: AUTHENTICATED USER MAKES REQUEST
──────────────────────────────────────────
GET / (or any route)
Express-session middleware runs
├─ Read session cookie from browser
├─ Look up session in MySQL store
├─ Populate req.session.userId
└─ Pass control to next middleware
App-level middleware (app.js line ~66)
Check req.session.userId exists?
├─ YES → Fetch user from DB: User.findByPk(req.session.userId)
│ Cache in req.user object
│ Derive res.locals.isLoggedIn = true
│ Derive res.locals.isAdmin = user.isAdmin (from DB)
│ Pass res.locals.user = { id, name, email } to views
└─ NO → Set res.locals.user = null
Set res.locals.isLoggedIn = false
Set res.locals.isAdmin = false
Route handler executes
(user data available in req.user for logic, res.locals for templates)
If PUBLIC route (e.g., GET /) → Allow all users
If PROTECTED route (e.g., /my/cart) → Check before executing
├─ res.locals.isLoggedIn === false?
│ └─ YES → Reject, redirect /login
└─ YES → Allow, execute handler
If ADMIN route (e.g., /admin/write) → Check before executing
├─ res.locals.isAdmin === false?
│ └─ YES → Reject, redirect / (or 403 error)
└─ YES → Allow, execute handler
Handler sends response
├─ EJS templates can access: user, isLoggedIn, isAdmin
└─ JSON APIs can access: req.user
Browser receives response + session cookie (if modified, renewed)
STEP 4: USER LOGS OUT
──────────────────────
POST /logout (usually from button/form)
postLogout controller executes
Destroy session
req.session.destroy((err) => {
// Session removed from MySQL store
// Session cookie marked for deletion
})
Redirect to home (/)
res.redirect('/')
Browser deletes session cookie
Next request
├─ req.session.userId = undefined
├─ User treated as anonymous
└─ res.locals.isLoggedIn = false, res.locals.isAdmin = false


STEP 5: SESSION EXPIRATION (BACKGROUND)
────────────────────────────────────────
Session maxAge timeout occurs
(e.g., 7 days set in app.js)
express-mysql-session's cleanExpired job
(runs periodically, default every minute)
Old sessions deleted from MySQL store
User's next request has invalid session cookie
├─ Cookie points to non-existent session
├─ req.session.userId = undefined
└─ User auto-logged out
Want to print your doc?
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.