I had a hard time wrapping my head around it.But this is what i got, hope it saves your time.
There are two ways you could interact with the server to provide access to restricted information which requires authentication.
1.cookies and 2.sessions
Long story short- cookies are unsafe as it remains on the client side and can be accessed and manipulated.
But when it comes to sessions the session id (to be explained) gets saved in the server, thus making it a safe bet.
This is how the process goes with the passport middleware:
- Login info passed (username & password)
- Passport Authenticate(local strategy) gets executed to check if username and password is valid.
- DONE callback with Null (no error) and USER(from database) will be returned ? if username and password is VALID.
4.SERIALIZE
When Authentication is valid SERIALIZE METHOD IS EXECUTED (to begin a session) (which uses whatever parameter is passed in the definition of the method ) usually User.id is saved and is verified each time a request is sent.
passport.serializeUser(function(user, done) {
done(null, user._id); })
In the above method, user object is passed and user._id is saved as a key in the server.
This means that this key(user.id) would be used to maintain the session.
This is done by saving the user._id in the req.passport.session.user ={_id : …}….(explained after Deserialize)
5.DESERIALIZE
Serialize method is executed only once after authentication, and later on, for subsequent requests the DESERIALIZE METHOD gets executed which maintains the session in which the User.id is passed to maintain the session as illustrated below. ( till the browser is open*) .
passport.deserializeUser(function(id, done){…})
user object is returned in the callback and is attached to the request as req.user.
AUTHENTICATION / NO AUTHENTICATION:
Do you remember the passport.initialize middleware and the passport.session middleware in App.js
The passport.initialize middleware is executed on every request.
After which the passport.session middleware would look for a serialized user on the server.
If no user authentication has been done an empty object is created (req.session.passport.user) where the serialized user would be loaded.
req.session.passport.user = {}.
But when authentication has been done and Passport.Authenticate has returned a VALID USER in the done callback (username and password match case), then
req.session.passport.user = user._id
User._id is passed to req.session.passport.user
This Id will be present attached to the session (req.sesssion.passport.user) when passport.initialize is executed the next time in subsequent requests.
After initialize method finds the id in the session it performs the deserialize method & the User information is loaded to the request through req.user .
Please do suggest edits or additions to this answer.-PVTHOMAS
