Notes on authentication - how to think about it and what options are available
Authentication is the process of verifying that a user is who he/she says she is (note that this is different than authorization which determines if a user is allowed to access a resource).
Current best practice - use JWT (https://jwt.io/introduction/)
Try to use an existing framework. Do not make your own authentication scheme - it is harder than you think.
For front end use this NPM https://www.npmjs.com/package/jsonwebtoken (npm install --save jsonwebtoken)
- Enter your credentials (username or email and password)
- Make HTTPS request containing this data to backend
- Check that username and password match
- Return user id and any other data and store token in LocalStorage
About LocalStorage (https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) Tokens stored in LocalStorage are DOMAIN SPECIFIC - that means "stuff" stored in LocalStorage for Facebook.com is not visible to Google.com The token will remain in storage (not the user profile)
/your_app/auth/email - first request to get token
Using bcrypt (encryption to store your passwords securely in database)
https://www.npmjs.com/package/bcrypt-nodejs
Encoding and decoding JWTs
https://github.com/auth0/node-jsonwebtoken
Storing JWT web toekns
https://github.com/grevory/angular-local-storage
-
NOTE that every request to your app MUST be authenticated - how do we do this? Include the token in headers of every request (more info about headers - http://stackoverflow.com/questions/1268673/set-a-request-header-in-javascript)
-
Check that the token is valid on every request
-
If the token is valid allow the request (return status code 200)
-
If the token is not valid - do not allow the request to continue and return the appropriate response code (on the front end redirect the user to the login page so that they can try again)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent