Now let's move to a new topic: Authentication.
What is Authentication?
Authentication is a process that verifies that someone or something is who they say they are. Technology systems typically use some form of authentication to secure access to an application or its data. For example, when you need to access an online site or service, you usually have to enter your username and password. Then, behind the scenes, it compares the username and password you entered with a record it has on its database. If the information you submitted matches, the system assumes you are a valid user and grants you access. System authentication in this example presumes that only you would know the correct username and password. It, therefore, authenticates you by using the principle of something only you would know.
In simple words, authentication is when you are as a user log in, the system will mark your requests as coming from a valid user. This is done by using a token that is generated, this token we call it
JWT (JSON Web Token), once you logged in the system will generate a token and send it to you, this token will be used to authenticate your next requests.
What is Authorization?
Authorization is the process of giving someone permission to do or have something. In the context of technology systems, authorization is the process of granting access to a user to a resource. For example, when you log in to a website, the system checks your username and password to verify that you are a valid user. If you are, the system then checks your user profile to see what access you have been granted. If you are an administrator, you may have access to all the site's features. If you are a regular user, you may only have access to a subset of the site's features. In this example, the system is using authorization to determine what you can and cannot do on the site.
In simple words, authorization is the permissions system we make in our application, for example only users with managing products are allowed to create, update, and delete products, if you don't have these permissions and you're trying to access any of these routes, you will get a response error with status code
Why do we need Authentication and Authorization?
Authentication and authorization are two of the most important security features in any application. They are used to protect the application from unauthorized access and to ensure that only authorized users have access to the application's resources.
What is JWT
JWT stands for
JSON Web Token. It is a standard for representing claims securely between two parties. A JWT is a JSON object that contains a
payload, and a
signature. The header contains the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA. The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. The signature is used to verify the message wasn't changed along the way. JWTs are signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
We also call it a
But TBH, i don't really like JWT, i prefer a random generated string to be used as token so it doesn't get cracked easily, but JWT is the most used token in the world, we will use it though.
How JWT works?
When a user logs in, the server generates a JWT with the user's data and sends it to the client. The client stores the JWT locally, e.g. in localStorage or in a cookie. When the user makes subsequent requests to the server, the client must send the JWT, typically in the
Authorization header using the Bearer schema. The server will check the JWT, validate the data, and respond to the request.
Auth System in nutshell
Let me encapsulate the whole auth system in a nutshell:
- User sends a request to the server to log in.
- The server checks the user's credentials and generates a JWT.
- The server sends the JWT back to the client.
- The client stores the JWT locally, e.g. in localStorage or in a cookie.
- When the user makes subsequent requests to the server, the client must send the JWT, typically in the
Authorizationheader using the Bearer schema.
- The server will check the JWT, validate the data, and respond to the request.
If user sends invalid token or no token at all, the server will respond with status code
This is called Authentication.
Regarding Authorization, we will make a middleware that will check if the user has the right permissions to access the route, if not, it will return an error with response status code
We'll not only generate a token for users, but also for guests, this will give us more control and more likely to unify our base code to act as one user either if it's a guest or a user.
Generating Guest Token
So even if the current user of the application is a guest, we w'll generate a token for him, this token will be used to authenticate his requests.
In this article, we learned about Authentication and Authorization, we also learned about JWT and how it works, and we also learned about Guest Tokens.
In our next article, we will start implementing the auth system in our application.
🚀 Project Repository
You can find the latest updates of this project on Github
😍 Join our community
Join our community on Discord to get help and support (Node Js 2023 Channel).
🎞️ Video Course (Arabic Voice)
If you want to learn this course in video format, you can find it on Youtube, the course is in Arabic language.
📚 Bonus Content 📚
You may have a look at these articles, it will definitely boost your knowledge and productivity.
- After 6 years of practicing MongoDB, Here are my thoughts on MongoDB vs MySQL
Packages & Libraries
- Localization: An agnostic i18n package to manage localization in your project
React Js Packages
Top comments (0)