First of all, I did not find similar questions or materials that would be useful. Sorry if I missed something!
Secondly, I'm not interested in ready-made solutions like node -passport or connect-auth or everyauth
Now to the question. I use Redis to store express sessions. My question is when a user authenticates (i.e., after a username and password were recorded and such a user was found in the collection), what should I store in the session?
I can store the entire user object (for example, as it came from MongoDB). One drawback that I see is that when the user is modified in the database (he edited his profile), I have to “re-install” the user object in the session. This becomes even more complicated if, for example, the user profile is changed by the administrator - in this case, the session has no idea that the user has been changed and his data must be updated from the database, so the outdated user object is currently in the sessions. which will only be updated the next time the user logs in.
Create the hash => userid collection and save only the hash in the session. Then each request calls the middleware that will check (the pseudo-code below skipped checking for a non-existing hash, in this case the user can be considered unregistered from the moment the session ends):
if (userhash in req.session) res.local.user = db.users.findById (db.sessions.findUserIdByHash (req.session.userhash));
Well, the obvious drawback of this method is the additional storage (i.e. mongodb) or key => value (i.e. redis) storage for hash => userid, which also requires some procedure to clear old session hashes (scheduled task \ cron which will start and delete old expired hashes).
, # 2, 3-d party/key = > User MongoDB. , , collection/redis, - . , , " ", 3- , User MongoDB ( User ).
Node -js, . , , .
!