leah

my dev_log

0%

26. authentication

Posted on Edited on In ,

Authentication

  • Authentication: who you are
  • Authorization: what you are authorized to do

The Authorization Header

HTTP/1.1

  • browser ‘Inspect’ -> Network

Types

Basic

http://www.base64decode.org

Base64 Decode and Encode - Online

www.base64decode.org
Autehntication based on username and password
concatenation with :

  • Don’t store passwords in raw text, always hash it!
  • Don’t use MD5 (Brute Force) since is becoming more insecure with the current computing power
  • USE BCrypt(the standard nowadays): hash same input into different everytime
    npm bcrypt

Token

  • github personal access tokens
    random token is shared between the server and the client, usually on another request
    lasts for short time (normally 30sec)
    Authorization = Bearer

clinet: React, Angular …

JWT (Jason Web Tokens)

https://jwt.io
[algorithm & token type]header-[data: that needs to be secured]payload(userId, iat)-[verifying key]verify signature: no one can change the content
signature => only if I have a secret, generates the signature / if input is different, signature will be different too

  • can’t change the payload if the signature hasn’t been changed
  • most bearer strategy: the token has all the info needed
  • the only thing stored in the server is the stored passphrase
  • the token is composed by the encryption information, the payload encoded in base64 and the signature
  • less control on the token, the only way not to accept it is by using a blacklist

Sesson

  • payload of data that relates to a user
  • persisted in the server and is tagged with the ID
  • writes ID in the cookie (piece of information)-> how we are saved and tracked// and sends it to the browser
  • everytime the browser performs a request to the server, it sends back the cookie with the ID in it

session store: mongodb, file, etc…
npm express-session
npm helmet

  • iframe: build website inside the website (element)

Oauth

  • FireFox
  • user, app and authentication provider
  • lets us authenticate a user through an authentication provider, who manages the account of the user
  • Authenticates a user within the activity of an app
  • The credentials are not leaked to the app
  • BUT gives the provider the information (e.g. google)
    passport.js
    oauth0
    firebase authentication