Authentication Vs Authorization: Securing Your Express Application
Hey fellow devs!! Sorry for being gone for so long... Now then we are back, let's get to it. Up until our last blog, we are caught up with the basic flow of an express application, and we also connected a database to our application.
But Krishang, that data is unprotected, no? Of course it is, that's why in today's article, we will talk about the a very important concept: Securing Our Application.
Authentication and Authorization
- Often used synonymously, these two terms are very different and server different purpose,
- On the border line, they both are sub-concepts of the umbrella term Security.
- While these concepts are easy to master, they sure are quite tricky to get started with, but worry not, for I'm here to make it easier.
- Let's start with the difference shall we? Let's understand the concept with the example of a concert!
Authentication
So authentication is basically just proving that you are, who you are "claiming to be".
- Say you are going to a concert of your favorite singer, you bought a ticket that proves that you are allowed to attend the concert, in other terms, you are a valid attendee.
- You would only be allowed to enter the venue, if you had a valid ticket for the concert. That's authentication.
Authorization
Authorization is related to what someone is or isn't allowed to do.
- As a person with a normal ticket, you may only be allowed to sit in a certain area. You may have had to buy a VIP ticket for better arrangements.
- And for backstage visit, your ticket wouldn't suffice, you would need a special kind of pass. That's Authorization.
Importance of the Two Concepts
Now that we know what is the difference between the two concepts, let's break down why they are a crucial part of any application.
Layered Security
- Authentication allows only allowed users to access the application, which keeps unwanted guests out of the picture.
- Authorization controls what authenticated users can do once they are in.
Protection Against Different Threats
Authentication and Authorization also strengthens the defenses against cyber threats like impersonation or data breach.
Data Protection
Since only authenticated users could access the data, with their actions being limited, the data is protected.
Granular Control
- Authentication establishes user identity, and makes sure only certain individuals access the application.
- Authorization establishes even more control by managing permissions for different users.
These are some of the many important reasons why these two concepts are so important when it comes to applications.
How to Implement?
In an express application, there are several ways to implement authentication or authorization, but the most commonly used ways are using pre-built libraries that cater to our needs. Some of these libraries are:
- bcryptjs is a JavaScript library used to securely hash and verify user credentials, like passwords.
- jsonwebtoken is a library used to create and verify JSON Web Tokens (JWTs), which are compact, URL-safe tokens that securely transmit information between destinations.
- express-session is more of a middleware than a package for Express.js that manages user sessions.
- It stores session data on the server and sets a session ID in a cookie on the client side.
Conclusion
In this article we read about:
- What is Authentication and Authorization?
- Why are they so important in context of web applications.
- What are some common packages to implement these concepts
In our next blog, we will create a basic RESTful API that will leverage all of the above listed packages in a user authentication flow. Until then, keep learning, keep coding! And I'll, see you in the next one! 👋