Congratulations on creating an authentication system in node.js

using Express and Mongo DB.

Now I've covered a lot of concepts and we've written a lot of code.

There's even more to explore in the realm of authentication.

Too much to cover in a single course.

However in this video, I'll highlight some different options you could use to add

authentication to your apps.

There are a collection of links in the teacher's notes for

you to reference after this video.

First, I want to make note of how we can improve the security of our application.

When a user is logging in, you don't want their username and

password transferred freely from their browser to your server.

Someone along the way can intercept the traffic and get those credentials.

The same is true when a user signs up, disclosing personal or

financial information.

On any site that uses authentication, you should serve your site via HTTPS.

The S on the end stands for secure because it uses TLS, or transport layer security.

This means that the data being transferred is encrypted.

Which prevents our users' information, from being intercepted and deciphered.

In fact, these days many sites use HTTPS for all requests and

responses, not just for form data.

To use HTTPS you'll need to acquire a certificate signed by a trusted source to

verify the security of the website.

You can get a certificate for free from Let's Encrypt.

Check the teacher's notes for a link to their website.

It requires some set up on your server to use your free certificate.

They explain how on their website.

In addition, there are other ways to add authentication to an expressed site.

The cookies and sessions method we created is just one way, but

there are many others.

For example,

you can add authentication to a site using what's called token based authentication.

When a user submit their credentials to log into the website,

the server responds with a token that allows a user to request various resources

without submitting their username and password again.

That token can then be offered to the server with each subsequent request

to allow the user to gain access to a specific resource.

If you've ever signed in to a site using your GitHub, Facebook or

Google account, you've used token-based authentication.

It's another way of gaining the functionality we achieved with

sessions and cookies.

Instead of using a session ID to look in the session object for

our users information, we can access it from a token generated by the server.

Two popular approaches to token-based authorization are o-op and

JSON web tokens.

You can find more information about each in the teacher's notes.

Finally, another popular option for

adding authentication to an express app is Passport.

Passport is middleware that supports a wide variety of authentication strategies.

You can include the passport middleware and

authenticate with a username and password.

Passport also lets users sign up and log in using third party sites like GitHub,

Twitter, Facebook, Google, and Instagram among many others.

After you install the passport package and require it in app.js, you can then

use the middleware to authenticate with the strategy of your choice.

There are many options available for

customizing an authentication strategy with Passport.

And you can see how to implement Passport via their documentation.

Check the teachers notes for more information on it and

a link to a treehouse workshop.

Now you know more about authentication, sessions, cookies, encryption, and

how to use Express middleware.

Thanks for joining me in this course.

Have fun and keep programming