Authentication and Authorization using AccessTokens - RefreshTokens | Part 1
Manish Kumar Sahu
Posted on May 31, 2021
Authentication VS Authorization
Many people mismatch these terms, but they are two different things.
Authentication
This is a process of validating the user that sends the request to the server is the same as the one that logged in. This is generally done by checking the password, OTP, biometrics, etc.
Authorization
This is a process of giving permission and access to a specific resource or function. This is generally done by using tokens sent from auth server to the client.
I will be using MERN (MongoDB, Express, React, NodeJS) stack to show the implementation of authentication and authorization
Authentication
So, the first step of authentication is to encrypt the the user credentials or resources which are very much private and important, like passwords.
Let's say we have a userSchema using mongoose.
We cannot just store plain passwords in the database, so for hashing, we can use crypto
. It is an inbuilt module that comes with nodeJS
.
- First of all, we made two methods
- To authenticate or check if the password is correct or not.
- To hash the password.
- Then we made a virtual schema to take the plain password and encrypt it using the securePassword method we made and store to store it in database.
- After that, we can import the
authenticate
method to/signin
route to check for the password that user passed.
const mongoose = require("mongoose");
const { createHmac } = require("crypto");
const userSchema = mongoose.Schema(
{
name: {
type: String,
required: true,
},
email: {
type: String,
required: true,
unique: true,
},
encrypted_password: {
type: String,
required: true,
},
},
{ timeStamps: true }
);
userSchema
.virtual("password")
.set(function (password) {
this._password = password;
this.encrypted_password = this.securePassword(password);
})
.get(function () {
return _password;
});
userSchema.methods = {
securePassword: function (plainPassword) {
if (!plainPassword) {
return;
}
try {
const secret = "anySecretYouWant";
return createHmac("sha256", secret).update(plainPassword).digest("hex");
} catch (error) {
return;
}
},
authenticate: function (plainPassword) {
return this.encrypted_password === this.securePassword(plainPassword);
},
};
module.exports = mongoose.model("User", userSchema);
- So basically all the passwords of the user will be stored in a hashed or encrypted format so that none of us can read it and use it directly. It is done by passing a salt (any random long string ) to mix the characters in the password.
- To decrypt those passwords, we need only that particular salt string.
- As salt strings can decrypt the passwords, hence it is stored in Node environment files (.env files).
Now the user is authenticated, next move on to authorization part.
cover image : https://www.progress.com/
Posted on May 31, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
May 31, 2021
May 31, 2021