Authentication & Authorization in Node.js

Learn to build secure and robust applications by mastering the two pillars of access control: proving who a user is and controlling what they can do.

🚪🔒

Welcome! Let's secure our app. Imagine this is a protected route in our application.

/Dashboard

Authentication: Verifying Identity

Authentication is the process of verifying a user's identity. It answers the question: "Who are you?" This is the first step in any secure system, typically handled by checking a username and password, a biometric scan, or a security key.

Authorization: Granting Permissions

Once a user is authenticated, Authorization determines what they are allowed to do. It answers the question: "What are you permitted to do?" This is managed through roles and permissions, ensuring users can only access the resources and perform the actions appropriate for their level of access (e.g., an admin vs. a regular user).

JWT: Your Digital Keycard

JSON Web Tokens (JWT) are a popular way to handle authentication in modern APIs. After a user logs in, the server creates a signed token containing user information (the "payload") and sends it to the client. The client then includes this token in the header of subsequent requests to prove its identity without needing to send credentials every time.

OAuth: Delegated Access

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to a user's account on another service, without exposing their credentials. Think "Login with Google" or "Login with Facebook." Your application is delegated permission to access specific parts of the user's data, providing a secure and seamless user experience.

Practice Zone

Interactive Test 1: Match the Concept

Match the security concept to its description.

Arrastra en el orden correspondiente.

Arrastra las opciones:

Checking if a user has the "admin" role

A signed JSON object sent in request headers

Validating a username and password

Completa el código:

Verifying Identity______

Verifying Permissions______

Stateless Access Token______

Unlock with Premium

Interactive Test 2: Complete the Code

Rellena los huecos en cada casilla.

function authenticateJWT(req, res, next) {
  const token = req.headers.authorization.split(' ')[1];
  jwt.(token, SECRET_KEY, (err, user) => {
    if (err) return res.sendStatus(); 
    req.user = user;
    ();
  });
}

Unlock with Premium

Practice Example: Code Editor

Create an Express middleware that checks if a user has the 'admin' role. Assume `req.user` has a `roles` array.

* Write the code below. Correct characters will be shown in green and incorrect ones in red.

function isAdmin(req, res, next) {
  if (req.user && req.user.roles.includes('admin')) {
    next();
  } else {
    res.status(403).send('Access denied. Admins only.');
  }
}

Unlock with Premium

Knowledge Check

What is the main difference between authentication and authorization?

Unlock with Premium

Security Patterns in Modern Architectures

Token-based authentication and authorization are foundational to building scalable and secure distributed systems.

1. Securing SPAs and Mobile Apps

Traditional session-based authentication doesn't work well with Single-Page Applications (React, Vue) and mobile apps. JWTs provide a stateless solution: the server doesn't need to store session data. Each request from the client is self-contained and authenticated by its token, making it perfect for distributed or serverless environments.

2. Microservices Architecture

In a microservices architecture, you can have a dedicated "Auth Service" that handles user logins and issues JWTs. Other services (e.g., "Product Service", "Order Service") can then independently verify the signature of these JWTs to authenticate requests without needing to communicate with the Auth Service or a shared database for every call, improving performance and decoupling.

3. Fine-Grained Permissions with OAuth 2.0 Scopes

OAuth goes beyond simple roles. When an application asks for permission to access your Google account, it requests specific "scopes" like `read:calendar` or `write:contacts`. This is a form of fine-grained authorization where the user grants specific, limited permissions. You can implement this in your own APIs to allow users to create API keys with restricted access.

Practical Takeaway: Understanding these security patterns allows you to build applications that are not only secure but also scalable, flexible, and ready for modern, distributed architectures.

Security Glossary

Stateless Authentication: An authentication method where the server does not store any session information about the user. Each request must contain all necessary information (like a JWT) for the server to identify and process it.
bcrypt: A widely-used and highly secure password-hashing function. It is designed to be slow to compute, which helps protect against brute-force attacks on stored password hashes.
Payload (JWT Claim): The central part of a JWT that contains the "claims" or statements about a user, such as their ID, username, roles, and token expiration time.
Middleware (Express.js): Functions that have access to the request (`req`), response (`res`), and the `next` function in the application’s request-response cycle. They are perfect for implementing security checks like authentication and authorization.