\newpage
User authentication and authorization are critical for securing applications and ensuring that users have appropriate access to resources. This chapter delves into the concepts of authentication, authorization, session tracking, and maintaining user state across sessions.
Authentication is the process of verifying a user’s identity. It answers the question: Who are you?
- Examples: Username/password, biometrics, multi-factor authentication (MFA).
Authorization determines what actions or resources a user is allowed to access. It answers the question: What are you allowed to do?
- Examples: Role-based access control (RBAC), access control lists (ACLs).
- Password-Based:
- Simplest form of authentication.
- Vulnerable to brute force attacks and password theft.
- OAuth:
- Used for third-party app authentication (e.g., "Login with Google").
- Provides secure access without sharing credentials.
- API Keys:
- Used to authenticate applications accessing APIs.
- Requires secure storage to prevent exposure.
- JWTs (JSON Web Tokens):
- Stateless, compact tokens used for session management and authentication.
- Encodes user information in a digitally signed format.
Enhances security by requiring multiple forms of verification:
- Something You Know: Password or PIN.
- Something You Have: Smartphone or hardware token.
- Something You Are: Biometric data (e.g., fingerprint, facial recognition).
Session tracking maintains a user’s authenticated state across multiple requests or pages.
- Session Cookies:
- Stores a unique session ID in the user’s browser.
- Commonly used in web applications.
- Secure options include setting
HttpOnlyandSecureattributes.
- Local Storage or Session Storage:
- Stores session tokens in the browser.
- Suitable for single-page applications (SPAs).
- Vulnerable to XSS attacks if not handled carefully.
- Server-Side Sessions:
- Stores session data on the server, referenced by a session ID in cookies.
- Ensures better control and security but requires additional storage.
- Install the session middleware:
npm install express-session
- Configure sessions in your application:
const express = require('express'); const session = require('express-session'); const app = express(); app.use(session({ secret: 'your-secret-key', resave: false, saveUninitialized: true, cookie: { secure: false } // Set to true if using HTTPS })); app.get('/', (req, res) => { if (!req.session.views) { req.session.views = 1; } else { req.session.views++; } res.send(`You have visited this page ${req.session.views} times`); }); app.listen(3000, () => console.log('Server running on port 3000'));
Maintaining user state across sessions ensures a seamless user experience. This includes remembering user preferences, authentication status, and application state.
- Persistent Cookies:
- Store long-lived tokens to remember user login status.
- Ensure secure implementation to prevent theft.
- Token-Based Authentication:
- Use JWTs for stateless session management.
- Store tokens securely in cookies or local storage.
- Database Persistence:
- Save user state (e.g., preferences, shopping carts) in a database.
- Retrieve and restore state on login.
- Install necessary packages:
npm install jsonwebtoken
- Generate and verify tokens:
const jwt = require('jsonwebtoken'); const secretKey = 'your-secret-key'; // Generate a token const token = jwt.sign({ userId: 123 }, secretKey, { expiresIn: '1h' }); console.log(`Token: ${token}`); // Verify the token jwt.verify(token, secretKey, (err, decoded) => { if (err) { console.log('Invalid token'); } else { console.log('Decoded payload:', decoded); } });
In this chapter, you learned:
- The distinction between authentication and authorization.
- Session tracking methods and how to manage user state across sessions.
- Techniques for implementing persistence, such as cookies and JWTs.
User authentication and state management are foundational to secure and user-friendly applications. In the next chapter, we’ll explore payment integration with Stripe to handle transactions effectively.