criz criz - 10 months ago 73
Node.js Question

Why do I need to deserialize user at each request with PassportJS?

I'm sure that there will be an obvious answer, but I didn't find any solution neither in official documentation nor anywhere on the internet.

With Passport.js we have to define two methods, one to serialize and one to deserialzie the user session.

From official documentation I read:

Only the user ID is serialized to the session, keeping the amount of data stored within the session small. When subsequent requests are received, this ID is used to find the user, which will be restored to req.user

My first question concerns the term Serialization, according to Wikipedia:

Serialization is the process of translating data structures or object state into a format that can be stored

But in a world made exclusively by Javascript, since users are objects and objects are native, why are we serializing? We could store the whole object in session, what forbids it?

Then, deserializing is a process that need a large consume of resources, because of interacting with database. So, why do execute a deserialization at any request? Couldn't we do it only once and keep the result for further requests?

I read a lot about PassportJS, and I'm able to implement a login system, but I'd like to clarify these obscure aspects.
Thank you.

Answer Source

As you say, the only user data persisted in the session is the user id. If you wanted to cache the deserialisation of user ids to users then you'd have to maintain that yourself (presumably in memory, as you're concerned about the time to retrieve the data). The problem with this is that you then have to invalidate/update that cache on any operations which update the user (perhaps the user changes their email address or password) otherwise you risk having outdated data on req.user.

You implied you're working with a database (rather than an in memory store like Redis) and are worried about the performance implications of fetching the user from the database on every request. It's impossible to be certain without knowing more about your particular setup, but I think your concerns are likely to be unfounded - a single call to fetch a user record based on an ID (which databases are well-optimised for - the primary key index on a SQL-based db for instance) shouldn't add any significant latency to a request.