I am using :
- Node.js
- Express 4.0
- Passport.js
- Google OAuth 2 for Authentication
For each user, I store in a MySQL DB (I don't have the choice regarding this technology) some info from his Google Profile (email etc...), access & refresh tokens, and also additionnal info that the user provides when he registers on my app.
I have seen different uses of passport.js, specifically regarding how that info is stored in session.
On passport.js's configure page, I don't really understand the point of the following block of code :
passport.deserializeUser(function(id, done) { User.findById(id, function(err, user) { done(err, user); }); });
Basically, each time the user makes a request, or visits a page, there's a request to the DB and information is retrieved. What is the point ? It slows the app a lot. Shouldn't the info from the DB be retrieved when
serializeUser
is called (ie. when the info is stored in session) ?I have read that storing too much info in
session
can slow the app. What is "too much" ? How much will it slow the app ? Does someone know if there are tests somewhere ? My app's pages require a different set of data about my user (for example, the homepage will only need his name whereas the profile page will need everything, another page will need to know what cars he owns etc...). Should I store all that info insession
whenpassport.authenticate
checks if the user exists in the DB (thus limiting read-requests to the DB to approximately one), or only store in session his id and have my pages make additionnal requests to the DB when necessary ?Another issue I have : in the registration process, I first have the user log in on his Google Account, I store his profile's details somewhere, have him fill a form for additionnal info, and then I insert everything in the DB. The problem is I don't know how to properly store his Google Account details until they are inserted into the DB. For the moment, I store them in
session
, and then delete that when the insertion is successful. More specifically, when no existing user is found in my DB, I do, in mypassport.authenticate
callback:return done(null,false,userInfo);
Thus, the user is not authenticated and I have 2 issues : I have to store that
userInfo
somewhere until the user is registered and I have to log him "manually" usingreq.login()
after the registration is complete.Should I allow him to be authenticated as soon as he logs in on his Google Account ? Wouldn't that cause security issues for me if he does not complete his registration ?
- Lastly, I have read about using Reddis. Would that help me with these issues ?
Thank you very much !
See Question&Answers more detail:os