Im working on a MERN project and I’m now on the authentication part of it. I originally planned on using JWT because I’ve never used it before but after reading more into it JWT it seems that it’s not secure. I have used Passport before and believe it’s considered to be more secure. Also, i have read in certain articles that JWT and Passport can be used together.
What would be a good example for each option?
I think I will switch over to Passport and getting rid of JWT but should I consider finding a way to use both? Would it be overkill? Should I just use Passport alone?
If using both is a good idea do you know of a tutorial for a MERN project?
Is there another method I should consider? Any references or tutorials?
JWT isn’t an auth mechanism itself, it’s just a standardised way to securely exchange credentials in the form of a [json-encoded] token. It is something you use as the basis for an authorisation (or authentication) strategy.
Passport is a way to dump basically any given authorisation strategy into a Node app as middleware, just a way of avoiding having to manually wire everything together yourself and also allowing you to add/remove/swap out strategies. Passport itself doesn’t do {auth thing} on its own.
So eg you could integrate some JWT-based auth strategy into your Node app using Passport
I can’t recommend anything specifically, but if you Google “node passport jwt”, there are a vast number of results which seem to fit exactly what you’re asking for.
Passport is used by installing the base library + a plug-in or plugins for the strategy/strategies you want to use. There are hundreds of strategy plugins, the basic JWT one is one of the most popular by the looks of things.
Just as an aside, learn how to set this stuff up but if you have a real thing with real users then just use an auth provider if you can (for example, Google’s Firebase). An auth flow using the basic primitives, done properly, in a real app, for an organisation, tested etc: that’s gonna be maybe ~3 months work. A turnkey solution using a trusted provider is maybe going to take a day or two, and can be extremely confident that it’ll work.