Skip to content
This repository has been archived by the owner. It is now read-only.
Switch branches/tags
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Node with sails.js mvc framework, Using passport logins + token based security

How it works

Sails is an mvc framework for organizing node applications using express. It provides structure to Models, controllers, policies and adapters, and I use these in a way to authenticate users. Sails also builds an api available to the models we create and allows us to create our own routing system. For the purpose of this project, I will not be using the views system sails makes available and instead will use another node server to fake a mobile client. In the future, it would be good to use another framework system like yeoman to organize the client code.


We start by creating our user model. Sails makes this very easy to do, check out their documentation to see how to do this. We add the fields we want including our username and password field.

We override the beforeCreate method of the model to salt and hash the incoming password with bcrypt. We also override the toJSON method to ensure we are never sending the salted, hashed password back


We next add an AuthController into the api/controllers directory. This file will control authorization requests to the server. There are 2 authorization requests I have setup: login and logout. We use passport local authentication here to authenticate the user. We will get into the configuration of passport later on. If the user successfully logs in, we generate a token with jwt (jsonwebtoken) and attatch the user object to it. This will allow us to determine who's token this is later on when they make a request. We must send this token back to the user to keep for themselves.

Logout is pretty straight forward. It's important to destroy the users token but currently I don't.


We need to setup passport to help check the user's credentials. We technically don't need passport since we are not using session authentication, but for the sake of being able to swap out authentication portals I still use it. Passport setup is the same here as we would use it in any other app, except here we control our own password checking. We once again use bcrypt to hash the password and check it against the user's password that's stored in our database.


Policies are sails way of determining whether a request is allowed or not. There are 2 parts to this: the api side and the routing configuration. In the api/policies directory, we add a new policy for checking a user's token. The hasToken policy uses express-jwt to check the validity of the token and parse it into the user object we passed jwt earlier. For the jwt token authorization to work, the request must have a header called Authorization with a value of Bearer {token}. JWT uses bearer tokens and will take the token from this header and if it is valid, allow the request through while setting the req.user variable

The second part of policies is in config/policies. This is where we define which routes need to pass which policies. For this app, we want every request to go through the token policy except for user registration (which sails creates for us when we make our user model, and is defined with create) and the authentication controller (for logging in).


Routes are how we define where sails sends our extra request. They are defined in config/routes. We want to tell sails to forward our /login post requests to AuthControler.login and /logout get requests to AuthController.logout


Sails allows us to set up how we handle cors requests. It is in config/cors. Since we are on a different server, we need to allow these requests. So, I set allRoutes to true, allowing all requests from other domains. Since we are also using an Authorization header in our requests, we need to add authorization to the headers object. This tells the server to allow the Authorization header on cors requests.


Sails uses an dirty database to store objects by default. I'd rather use mongo to store my objects. Luckily, sails uses a waterline connector allowing us to plug in any database we want. By installing sails-mongo and changing the settings in config/adapters we can very easily setup sails to use a mongo database.

And Thats it

This token based authentication system will allow us to use the api that sails builds for us to it's full extent without having to rely on sessions to stay authenticated. We can now keep users authenticated across multiple devices over a long period of time.


Node with sails.js mvc framework, Using passport logins + token based security



No releases published


No packages published