Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
498 views
in Technique[技术] by (71.8m points)

passport.js - What are the differences between local Basic and Digest strategy in passportjs

I understand the difference between Passport.js' Basic and Digest authentication, but what is the difference between the local strategy and Basic or Digest? In all three, you enter a username and password. Is the Basic strategy a type of user & password authentication? Please clarify.

question from:https://stackoverflow.com/questions/19187345/what-are-the-differences-between-local-basic-and-digest-strategy-in-passportjs

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If I understand correctly, the differences between the Local, Basic and Digest strategies in Passport.js are subtle but important. Here's the rundown:

Local (passport-local)

Passport's local strategy is a simple username and password authentication scheme. It finds a given user's password from the username (or other identifier) and checks to see if they match. The main difference between the local strategy and the other two strategies is its use of persistent login sessions. This strategy should be used over SSL/TLS.

Basic (passport-http)

The Basic strategy implemented by Passport looks nearly identical to the local strategy, with one subtle difference. The basic strategy is to be used with API endpoints where the architecture is stateless. As a result, sessions are not required but can be used. This strategy should also use SSL/TLS. The session flag can be set like so:

app.get('/private', passport.authenticate('basic', { session: false }), function(req, res) {
  res.json(req.user);
});

Digest (passport-http)

The digest strategy is subtly different than the other two strategies in that it uses a special challenge-response paradigm so as to avoid sending the password in cleartext. This strategy would be a good solution when SSL/TLS wouldn't be available.

This is a good article on Basic vs. Digest: How to Authenticate APIs

Note: All three strategies make session support optional. The two passport-http strategies allow you to set the session flag while the Passport docs say this, regarding the passport-local strategy:

Note that enabling session support is entirely optional, though it is recommended for most applications.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...