When it comes to designing a website that supports your business goals, you want as many people to access your content as you can, at the same time a sound security strategy with both authentication and authorization is required so you can consistently verify who every user is, and what they have access to do.
For that creating users and allowing them to log in and out of your web apps is a crucial functionality that we are finally ready to learn!
Authentication & Authorization
Describe what it means for user to be authorized
Describe the purpose and benefit of encryption
Differentiate between encryption and hashing
Describe what a hash is and explain the importance of password hashing.
bcrypt library and its use, bcrypt’s compare function.
Define tokens, sessions, and cookies
What is JWT? JSON Web Token structure : Header, payload and signature
Authentication vs Authorization
While authentication and authorization are often used interchangeably, they are separate processes used to protect an organization from cyber-attacks. As data breaches continue to escalate in both frequency and scope, authentication and authorization are the first line of defense to prevent confidential data from falling into the wrong hands.
So simply we can say that Authentication and authorization are used in security, particularly when it comes to getting access to a system. Yet, there is a significant distinction between gaining entry into a house (authentication) and what you can do while inside (authorization).
What is Authentication
Authentication is the process of verifying a user’s identification through the acquisition of credentials and using those credentials to confirm the user’s identity. The authorization process begins if the credentials are legitimate. The authorization process always follows the authentication procedure.
You were already aware of the authentication process because we all do it daily, whether at work (logging into your computer) or at home (logging into a website). Yet, the truth is that most “things” connected to the Internet require you to prove your identity by providing credentials.
What is Authorization
Authorization is the process of allowing authenticated users access to resources by determining whether they have system access permissions. By giving or denying specific licenses to an authenticated user, authorization enables you to control access privileges.
So, authorization occurs after the system authenticates your identity, granting you complete access to resources such as information, files, databases, funds, places, and anything else. That said, authorization affects your capacity to access the system and the extent to which you can do so.
Encryption && Hashing
What is encryption?
In general Encryption is the method by which information is converted into secret code that hides the information’s true meaning. The science of encrypting and decrypting information is called cryptography.
Encryption scrambles your password so it’s unreadable and/or unusable by hackers. That simple step protects your password while it’s sitting in a server, and it offers more protection as your password zooms across the internet.
Imagine a scenario where you’ve created the strongest password possible. Now, imagine that all of your hard work is stored in plain text in your company’s database,
i.e., passwords are stored in the database without any modification.. If a hacker gets inside, what happens next? All of your efforts go to waste, and your username and password are sold on the open market to the highest bidder.
What is password hashing?
can be thought of as a version of encryption but
Hashing is a one-way ticket to data encryption. Hashing performs a one-way transformation on a password, turning the password into another String, called the hashed password. Hashing is called one way because it’s practically impossible to get the original text from a hash.
Some Key concepts:
Cookies, sessions, salt and Token
Json Web Token – JWT
JSON Web Token (JWT) is a standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. The compact size makes the tokens easy to transfer through an URL, POST parameter, or inside an HTTP header. The information in a JWT is digitally signed using a secret or public/private key pair. JWTs can be signed using a secret or a public/private key pair. JWTs are mainly used for authentication. After a user signs in to an application, the application then assigns JWT to that user. Subsequent requests by the user will include the assigned JWT. This token tells the server what routes, services, and resources the user is allowed to access.
How to Build an Authentication API with JWT Token in Node.js
Let’s get our hand dirty, and write some code, for that we would recommend these two resources:
OR you can watch this video
In this section you can find a lot of helpful links to other content. This is a supplemental material for you if you want to dive deeper into some concepts.
- Authentication Factor
- How NOT to Store Passwords! .this video gives a broad overview of some of the different methods to store passwords in databases, and the risks of some of them.
- Read the part about local storage
- Rainbow table && Dictionary attack
- Cryptographic hash function