- TAKING A STRING AND ENCODING IT, WITH A KEY ENTRANCE FORMING IT.
- ALLOWS YOU TO USE A KEY TO OBFUSCATE AND RETRIEVE DATA.
- ENCRYPTION PROTECTS DATA IN TRANSIT.
- SALTING ADDS ADDITIONAL DATA TO OUR DATA.
- IT HELPS CONFUSE THE PROCESS OF COMPUTER BRUTEFORCING.
- CREATES A UNIQUE HASH.
- HASHING IS A ONE WAY TRIP, NOT MEANT TO BE REVERSED.
- HASHED DATA CANNOT BE REVERSED.
- HASHING METHODS - MD4, MD5, SHA(SECURITY HASHING ALGORITHM 256)
- REGISTRATION
- SALTED AND HASHED PASSWORD.
- INPUT VALIDATION FOR DB
- LOGIN
- COMPARE PASSWORD IN DB.
- STORE USER LOGIN SESSION IN A COOKIE.
- LOCAL STORAGE IS A CLIENT ONLY STORAGE THE SERVER DOESN'T HAVE ACCESS TO IT. FOR THE SERVER TO GAIN ACCESS TO IT YOU HAVE TO ATTACH IT TO AN HTTP HEADER. E.G AN AUTHORIZATION HEADER, SUCH AS A BEARER TOKEN
- SERVERS HAVE ACCESS TO THE COOKIE BY DEFAULT. IF YOU HAVE AN API THAT EXIST, IN THE SENSE THAT MANY DEVICE NEED TO ATTACH TO THE API[NATIVE APPS, WEB, MOBILE ETC] YOU MIGHT NEED TO USE A LOCAL STORAGE.
- EXAMPLE:- FOR MOST WEB APPS, YOU HAVE A SERVER CONNECTING TO A WEBSITE, COOKIES WOULD BE PASSED ALONG INTO EVERY HTTP REQUEST.
- LOCAL STORAGE YOU HAVE TO PASS IT VIA A HEADER.
- HTTP ONLY COOKIE IS A COOKIE ONLY ACCESSIBLE BY THE SERVER, AND ONLY WRITABLE VIA THE SERVER.
- YOU CAN'T STORE AN OBJECT IN A COOKIE.
-
ALLOWS US ENCAPSULATE INFORMATION INSIDE A SINGLE TOKEN. THEY ARE ENCODED AND DECODED BUT AIN'T ENCRYPTED, SALTED OR HASHED.
-
THIS ARE INFORMATION BEING STORED AS RANDOM CHARACTER.
-
YOU DON'T WANT TO PUT REALLY SENSITIVE INFORMATION IN A JWT TOKEN.
-
CONSISTS OF THE HEADER, PAYLOAD(DATA AS A JSON FORMAT), AND A SIGNATURE TO VERIFY.
-
IT'S PERFECT FOR AUTHENTICATION, BECAUSE YOU CAN STORE INFORMATION, SUCH AS THE [userId, sessionId] AS A SINGLE VALUE.
-
HERE WE WOULD BE STORING THE [userId, sessionId] AS A STRING USING JWT, AND SAVE IT AS A COOKIE.
-
BUILDING A SESSION BASED AUTHENTICATION SYSTEM
-
SESSIONS ARE THE ABILITY TO TRACK IF A USER IS LOGGED IN FROM A SPECIFIC DEVICE IN THE DATABASE. USERS AND ADMINISTRATORS HAVE CONTROL VARIOUS SESSIONS.
Access Token -: π _ JWT - Contains all of the info the user needs to be logged in. - Allows the user to access the information. - Allows us to make sure the user's session is valid and then proceed to let them have access to the information. - Only available for the current session of the usage of the website. Refresh Token -: π _ JWT - Doesn't contain all of the information needed to give access.
- Only contains session Id.
- If the session is valid, it would create a new Access token.
- Allows you to stay logged in for longer. - It not able to give user access, only used to refresh the Access token.
- Generate Session Token using the built in crypto package in nodejs
- Retrieve Connection Information
- Database insert for session
- Return Session Token
// Multiple things can be returned from a function.
- Create JWT Secret or Signature
- Create Refresh Token which returns SessionToken
- Create Access Token which returns SessionToken and User Id
- Return Refresh and Access Token
- GET USER FROM COOKIES