#Support for passwordless authentication with passport

Hello, i am using nest js and passport for my authentication. I am having trouble creating sessions and dealing with authentication with my custom strategy. I use only email as a login and the user verifies the login by getting a code send to their email.

The problem i am having is once the user is verified the session does not get set bcuz i am using a custom local strategy. I am wondering how i can replicate the super.logIn function inn the localAuthGuard that extends the Local strategy from passport.

check this out https://www.youtube.com/watch?v=69QmlAXNgHk

I'd also suggest Passport isn't even needed for this kind of login process. Passport, in effect, only makes the creation of the process harder.

yeah, all you need is to gen a token for the user and check against it on the endpoint

Thank you for a reply, appretiate it! I want to add session authentication and replace it with my jwt authentication for my app. The reson for that is i have read online that sessions are better and more scalable and so on...

Thanks again! il look in the the video

Ive looked inn to the video, i have managed to create paswordless authentication inn my app but i wanted to switch from JWT to sessions and was just wondering how to best implements sessions for with nest js

new to nest js so apologies if i say anything stupid 😅

to be frank here, it made everything harder for me
got so fed up with passport i switched to magic-link and sessions

How did you set the session?

express-sessions

I would really appretiate if you could share you code for a login route and logout route, also the initializer for the main.ts for sessions. Also do you save you sessions inn you database?

spoon feeding isn't always the answer
what would you learn from me giving the answers just for you to copy it?
the process is easy once you understand it
you need 3 routes

• route that creates the magic-link and send it to the user
  you can use something like a notification email or something else

• route to verify the token that was included in the link (jwt is great for this)
  once verified set the login cookie the @Session() decorator is great for this

• use session.destory() to log the user out
  you can even blacklist the session id before being destoryed
  also good to regenerate the session to avoid session fixation

Thank you again!

magic-links aren't really magic
it's just a url with a token put in a url param/query
that links back to the verify route where it is being verified and when it is valid you can use you choice of auth, i just use sessions
so make sure your verify route is a Get

you could put a route like verify/:token in your controller
using a url param as a example

and for your request end point just send them a link to this verify route that includes a token you generated
jwt is a great option to use as this token as it can be created and verified as well check if it expired or not
and even save data in it

hope that clears up a few things

Yeah it does

But do you save the jewt as a cookie client side?

i meant server side

I am having trouble saving the cookie server side with cookie parser...

Its really frustrating, i get everything to work on localhost but when i deploy my FE on vercel and BE on railway the cookie is unable to set

  response.cookie('jwt', accessToken, {
      domain,
      maxAge: 15 * 60 * 1000,
      httpOnly: env === 'prod' ? true : false,
      secure: env === 'prod' ? true : false,
      sameSite: false,
    });

the jwt is just used to create/verify the token for the magic-link
i dont use it for auth

but if you want to use it for auth as well that's fine to

if you ask me jwt is overkill for auth
unless you want to use micro services
but that's how i see jwt as auth

Thanks for response! Appretiate you taking the time 🙂