Node week 3 - authentication and security #276
Description
Following: #268
Having prepped an API on weeks 1 & 2 we can start talking about authentication.
As Yurii suggested, it could look like:
- as prep trainees have fetched code with UI with simple login
- as session progresses we slowly build on authentication knowledge
Extending on authentication section
Step 1: Database-Stored Credentials (30 min)
Concept: Store username/password in DB, check on login
Implementation:
- Add /login endpoint: check credentials against DB
- Use middleware to protect routes (e.g., isAuthenticated)
- Exercise: Add a protected route, test with Postman
Discussion: Why is this insecure? (passwords in plaintext, no token management)
Step 2: Database-Stored Tokens
Concept: Issue a random token on login, store in DB, validate on each request
Implementation:
- Generate token
- Store token in DB with user ID
- Add middleware to check token in Authorization header
- Exercise: Implement
Discussion: Pros/cons, scalability, security
Step 3: JWT (JSON Web Tokens)
Concept: Self-contained tokens, no DB lookup
Implementation:
- Install jsonwebtoken
- Issue JWT on login, verify with middleware
Discussion: When to use, revocation strategies, security risks
Step 4: Session-Based Auth
Concept: Server-side sessions (e.g., express-session)
Implementation:
- Set up session middleware, store in memory/Redis
- Exercise: Compare with JWT (when to use each)
Discussion: Scalability, distributed systems
Step 5: API Keys
Concept: Simple, permanent keys for machine-to-machine
Implementation:
- Add key validation middleware
- Exercise: Rate limiting, key rotation
Wrap-up & Best Practices
Recap: Compare all methods
Best Practices: HTTPS, password hashing, token storage, CORS