Implementing Secure User Registration in a Node.js Application PDF

Summary

This document describes the implementation of a secure user registration process in a Node.js application. It focuses on the backend implementation using Express, Prisma, and bcrypt and covers steps like database schema updates, password hashing, and data validation. The document provides code examples and best practices, making it a helpful guide for developers focusing on secure user registration.

Full Transcript

Implementing Secure User
Registration in a Node.js
Application

Introduction
This guide covers the implementation of a secure user registration process in a
Node.js application using Express, Prisma, and bcrypt. The focus is on the
backend, where most security measures are implemented. This is the first part
of a series covering:

1. User Registration (current focus)

2. Authentication (verifying user access to the backend API)

3. Authorization (determining user permissions for content and operations)

4. Securing Network Traffic (making HTTP requests and responses safer)

Overview of the User Registration Process
The user registration process involves several steps to ensure security and
data integrity:

1. Client Request: The client sends a POST request to the /users/sign-up

endpoint with user details.

2. Username Check: The server checks if the username already exists in the
database.

3. Input Validation: The server validates the input data.

4. Password Hashing: The server hashes the password using bcrypt.

5. Database Storage: The server stores the user data in the database.

6. Response: The server returns a success message and the user data
(including the hashed password) to the client.

Step-by-Step Implementation

Implementing Secure User Registration in a Node.js Application 1
 1. Updating the Database Schema
Modify Prisma Schema: Add a password field to the User model in
schema.prisma.

model User {
id Int @id @default(autoincrement())
username String @unique
password String
firstName String
lastName String
email String
// Relationships with Lecturer and Student models, if
any
}

Regenerate Prisma Client: Run the migration to update the database
schema and regenerate the Prisma client.

npx prisma migrate dev --name add_password_field

2. Updating the Domain Model
Add Password Field: In the User domain object ( user.ts ), add the password

field and include it in the constructor.

class User {
// Existing properties
password: string;

constructor(user: UserInput) {
this.username = user.username;
this.password = user.password;
this.firstName = user.firstName;
this.lastName = user.lastName;
this.email = user.email;
// Additional initializations
}

Implementing Secure User Registration in a Node.js Application 2
 validate(): void {
// Validate password
if (!this.password?.trim()) {
throw new Error('Password is required.');
}
// Existing validations
}
}

Validation Logic: Ensure that the password is provided and is not just
whitespace.

Use optional chaining ( ?. ) to safely call trim() on potentially undefined
values.

3. Updating the Data Access Layer (DAL)
Modify createUser Method: In user-database.ts , update the createUser method
to include the password when creating a new user.

async createUser(user: User): Promise {
try {
const userPrisma = await prisma.user.create({
data: {
username: user.username,
password: user.password,
firstName: user.firstName,
lastName: user.lastName,
email: user.email,
},
});
return User.fromPrisma(userPrisma);
} catch (error) {
console.error(error);
throw new Error('Database error');
}
}

Error Handling: Use a try...catch block to handle potential database errors.

Implementing Secure User Registration in a Node.js Application 3
 Log the error for debugging purposes.

Throw a general error to prevent leaking technical details to the client.

4. Implementing Password Hashing with bcrypt
Install bcrypt : Add the bcrypt library to your project.

npm install bcrypt

Hash Password in Service Layer: In user-service.ts , hash the user's
password before creating the user.

import bcrypt from 'bcrypt';

async createUser(userInput: UserInput): Promise {
// Check if user already exists
const existing = await userDb.getUserByUserName(userIn
put.username);
if (existing) {
throw new Error(`User with username ${userInput.user
name} is already registered.`);
}

// Hash the password
const hashedPassword = await bcrypt.hash(userInput.pas
sword, 12); // 12 salt rounds

// Create domain user object
const newUser = new User({
username: userInput.username,
password: hashedPassword,
firstName: userInput.firstName,
lastName: userInput.lastName,
email: userInput.email,
});

// Save to database

Implementing Secure User Registration in a Node.js Application 4
 return await userDb.createUser(newUser);
}

Salt Rounds: Use 12 salt rounds for a good balance between security
and performance.

Emphasize Domain Layer: Always create a valid domain object before
interacting with the database.

5. Updating the Controller Layer
Handle Sign-Up Endpoint: In user.routes.ts , implement the POST /sign-up

endpoint.

router.post('/sign-up', async (req, res, next) => {
try {
const userInput: UserInput = req.body;
const user = await userService.createUser(userInpu
t);
res.status(200).json(user);
} catch (error) {
next(error); // Pass the error to the global error h
andler
}
});

Avoid Validation in Controller: Do not perform validation in the controller; it
should be done in the domain layer.

6. Implementing Global Error Handling
Use Express Error Handling Middleware: In app.ts , add a global error
handler to catch all unhandled errors.

app.use((error, req, res, next) => {
res.status(400).json({
status: 'Application error',
message: error.message,
});
});

Implementing Secure User Registration in a Node.js Application 5
 Error Propagation: By calling next(error) , errors propagate through
middleware until they reach the global handler.

Future Enhancements: Plan to handle different error types (e.g.,
authentication errors) in the global handler.

7. Testing the Implementation
Start the Backend Server:

npm run dev

Use Swagger or Postman: Test the POST /users/sign-up endpoint.

Example Request Body:

{
"username": "johndoe",
"password": "SecurePass123",
"firstName": "John",
"lastName": "Doe",
"email": "[email protected]"
}

Verify Successful Registration:

Expected Response (status 200 ):

{
"id": 1,
"username": "johndoe",
"password": "$2b$12$...",
"firstName": "John",
"lastName": "Doe",
"email": "[email protected]"
}

The password should be hashed (e.g., starts with $2b$12$ ).

Test Duplicate Username Handling:

Send the same registration request again.

Implementing Secure User Registration in a Node.js Application 6
 Expected Response (status 400 ):

{
"status": "Application error",
"message": "User with username johndoe is already r
egistered."
}

8. Updating API Documentation
Swagger Documentation: Ensure that your API documentation (e.g.,
Swagger) is updated to include the password field in both request and
response schemas.

Request Schema ( UserInput ):

UserInput:
type: object
required:
- username
- password
- firstName
- lastName
- email
properties:
username:
type: string
password:
type: string
firstName:
type: string
lastName:
type: string
email:
type: string

Response Schema ( User ):

Implementing Secure User Registration in a Node.js Application 7
 User:
type: object
properties:
id:
type: integer
username:
type: string
password:
type: string
firstName:
type: string
lastName:
type: string
email:
type: string

Best Practices and Considerations
Password Security: Always hash passwords before storing them. Never
store plain-text passwords.

Input Validation: Perform validation in the domain model to ensure data
integrity.

Error Handling: Use a global error handler to manage errors consistently
across the application.

Separation of Concerns: Keep your application layers (domain, data
access, service, controller) well-defined and avoid mixing responsibilities.

Logging: Implement proper logging (e.g., to files or monitoring systems) for
production applications.

Future Enhancements:

Implement authentication and authorization mechanisms.

Secure network traffic using HTTPS and other best practices.

Conclusion

Implementing Secure User Registration in a Node.js Application 8
 By following these steps, we've successfully implemented a secure user
registration process with password hashing. This foundational work enhances
the security of our application and prepares us for implementing authentication
and authorization in subsequent lessons.

Next Steps:

Authentication: Implement user login functionality and verify passwords
using bcrypt.compare().

Authorization: Define user roles and permissions to control access to
resources.

Securing Network Traffic: Implement HTTPS and other security measures
to protect data in transit.

Implementing Secure User Registration in a Node.js Application 9