Chapter 15: Authentication

Learn how to verify who users are and protect your application from unauthorized access.

Auth vs AuthZ

Password Hashing

JWT Tokens

Auth Middleware

Quiz

Auth vs AuthZ

Think of a nightclub bouncer. Authentication is the bouncer checking your ID to verify you are who you claim to be. Authorization is the bouncer checking if your ticket allows you into the VIP section. First you prove WHO you are, then the system decides WHAT you can do.

Authentication (AuthN) = "Who are you?" — Verifying identity (login with email + password).

Authorization (AuthZ) = "What can you do?" — Checking permissions (admin vs regular user).

Concept	Question	Example
Authentication	Who are you?	Login with email & password
Authorization	What can you access?	Only admins can delete users

Common Authentication Methods

Session-based — Server stores login state in memory; sends a session ID cookie
Token-based (JWT) — Server sends a signed token; client sends it with every request
OAuth — "Login with Google/GitHub" — delegates auth to a third party

In this course we will focus on JWT (JSON Web Token) authentication because it is the most common approach for REST APIs and single-page applications.

Password Hashing

Imagine feeding a document into a paper shredder. You can turn a document into shreds, but you can NEVER reassemble the shreds back into the original document. That is exactly what hashing does to passwords — it is a one-way transformation. Even if a hacker steals your database, they cannot reverse the hashed passwords back to plain text.

NEVER store passwords in plain text! If your database is ever compromised, every user's password would be exposed. Always hash passwords before saving them.

bcrypt — The Industry Standard

bcrypt is the most widely used password hashing library in Node.js. It automatically handles salting (adding random data before hashing) so that two users with the same password get different hashes.

Terminal — Install bcrypt

npm install bcrypt

JavaScript — Hashing & Comparing Passwords

const bcrypt = require('bcrypt');

// HASHING a password (when user registers)
async function hashPassword(plainPassword) {
    const saltRounds = 10; // Higher = more secure but slower
    const hashed = await bcrypt.hash(plainPassword, saltRounds);
    console.log('Original:', plainPassword);
    console.log('Hashed:  ', hashed);
    // Output: "$2b$10$K8GpXoG..." (60-char string)
    return hashed;
}

// COMPARING a password (when user logs in)
async function checkPassword(plainPassword, hashedPassword) {
    const isMatch = await bcrypt.compare(plainPassword, hashedPassword);
    console.log('Password match:', isMatch); // true or false
    return isMatch;
}

// Usage:
// const hash = await hashPassword('mySecret123');
// const valid = await checkPassword('mySecret123', hash); // true
// const invalid = await checkPassword('wrongPass', hash); // false

Salt rounds = 10 is the recommended default. Each increase doubles the computation time. 10 rounds takes ~100ms, which is fast enough for users but painfully slow for attackers trying millions of guesses.

JWT Tokens

A JWT is like a concert wristband. When you enter the venue (login), the bouncer checks your ticket and gives you a wristband. For the rest of the night, you just flash your wristband to access different areas — no need to show your ticket again. A JWT works the same way: after login, the server gives you a token, and you send it with every request to prove you are authenticated.

What is a JWT?

A JSON Web Token is a string with three parts separated by dots:

            eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOjEsInJvbGUiOiJhZG1pbiJ9.SflKxwRJSMeKKF2QT4fw
            
                Header (algorithm)  · 
                Payload (your data)  · 
                Signature (verification)

Terminal — Install jsonwebtoken

npm install jsonwebtoken

JavaScript — Creating & Verifying JWTs

const jwt = require('jsonwebtoken');

const SECRET_KEY = 'my-super-secret-key'; // In real apps, use env variable!

// CREATE a token (after successful login)
function generateToken(user) {
    const payload = {
        userId: user.id,
        email: user.email,
        role: user.role
    };

    // Token expires in 24 hours
    const token = jwt.sign(payload, SECRET_KEY, { expiresIn: '24h' });
    console.log('Token:', token);
    return token;
}

// VERIFY a token (on every protected request)
function verifyToken(token) {
    try {
        const decoded = jwt.verify(token, SECRET_KEY);
        console.log('Decoded:', decoded);
        // { userId: 1, email: "user@example.com", role: "admin", iat: ..., exp: ... }
        return decoded;
    } catch (error) {
        console.log('Invalid or expired token!');
        return null;
    }
}

Never put sensitive data in the JWT payload! JWTs are encoded (Base64), NOT encrypted. Anyone can decode and read the payload. Only store IDs and roles — never passwords or personal data.

Login & Register

Now let's combine everything into a complete registration and login flow:

Registration Flow:
1. User sends email + password → 2. Server hashes password → 3. Server saves user to database → 4. Server returns success

Login Flow:
1. User sends email + password → 2. Server finds user by email → 3. Server compares password with hash → 4. Server generates JWT → 5. Server returns token

JavaScript — Register Route

const express = require('express');
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');
const { User } = require('./models');

const router = express.Router();
const SECRET = process.env.JWT_SECRET || 'dev-secret-key';

// POST /api/auth/register
router.post('/register', async (req, res) => {
    try {
        const { name, email, password } = req.body;

        // 1. Check if user already exists
        const existingUser = await User.findOne({ where: { email } });
        if (existingUser) {
            return res.status(400).json({ error: 'Email already registered' });
        }

        // 2. Hash the password
        const hashedPassword = await bcrypt.hash(password, 10);

        // 3. Create the user
        const user = await User.create({
            name,
            email,
            password: hashedPassword  // Store the HASH, never plain text!
        });

        // 4. Return success (don't send password back!)
        res.status(201).json({
            message: 'User registered successfully',
            user: { id: user.id, name: user.name, email: user.email }
        });
    } catch (error) {
        res.status(500).json({ error: 'Registration failed' });
    }
});

JavaScript — Login Route

// POST /api/auth/login
router.post('/login', async (req, res) => {
    try {
        const { email, password } = req.body;

        // 1. Find the user by email
        const user = await User.findOne({ where: { email } });
        if (!user) {
            return res.status(401).json({ error: 'Invalid email or password' });
        }

        // 2. Compare password with stored hash
        const isValidPassword = await bcrypt.compare(password, user.password);
        if (!isValidPassword) {
            return res.status(401).json({ error: 'Invalid email or password' });
        }

        // 3. Generate JWT token
        const token = jwt.sign(
            { userId: user.id, email: user.email, role: user.role },
            SECRET,
            { expiresIn: '24h' }
        );

        // 4. Send token to client
        res.json({
            message: 'Login successful',
            token,
            user: { id: user.id, name: user.name, email: user.email }
        });
    } catch (error) {
        res.status(500).json({ error: 'Login failed' });
    }
});

Notice the login route returns the same error message for both "user not found" and "wrong password." This is intentional — it prevents attackers from figuring out which emails are registered in your system.

Auth Middleware

Auth middleware is like a security checkpoint at an airport. Before you reach any gate (route), you must pass through security (middleware) and show your boarding pass (JWT token). If your pass is invalid, you get turned away before reaching the gate.

JavaScript — Auth Middleware

const jwt = require('jsonwebtoken');
const SECRET = process.env.JWT_SECRET || 'dev-secret-key';

// Middleware: Verify JWT token
function authenticate(req, res, next) {
    // 1. Get token from header
    const authHeader = req.headers.authorization;
    // Expected format: "Bearer eyJhbGciOiJIUzI1NiJ9..."

    if (!authHeader || !authHeader.startsWith('Bearer ')) {
        return res.status(401).json({ error: 'No token provided' });
    }

    const token = authHeader.split(' ')[1]; // Get the token part

    try {
        // 2. Verify the token
        const decoded = jwt.verify(token, SECRET);

        // 3. Attach user info to request object
        req.user = decoded;
        // Now any route handler can access req.user.userId, req.user.role, etc.

        next(); // Continue to the route handler
    } catch (error) {
        return res.status(401).json({ error: 'Invalid or expired token' });
    }
}

// Middleware: Check if user is admin
function authorizeAdmin(req, res, next) {
    if (req.user.role !== 'admin') {
        return res.status(403).json({ error: 'Admin access required' });
    }
    next();
}

module.exports = { authenticate, authorizeAdmin };

Using the Middleware

JavaScript — Protected Routes

const { authenticate, authorizeAdmin } = require('./middleware/auth');

// Public route - anyone can access
router.get('/api/products', getProducts);

// Protected route - only logged-in users
router.get('/api/profile', authenticate, getProfile);

// Admin-only route - must be logged in AND be admin
router.delete('/api/users/:id', authenticate, authorizeAdmin, deleteUser);

// Example protected route handler
async function getProfile(req, res) {
    // req.user was attached by the authenticate middleware
    const user = await User.findByPk(req.user.userId);
    res.json({
        id: user.id,
        name: user.name,
        email: user.email
    });
}

How the Client Sends the Token

JavaScript — Frontend Sending JWT

// After login, store the token
localStorage.setItem('token', response.token);

// On every request, include the token in the header
async function fetchProfile() {
    const token = localStorage.getItem('token');

    const res = await fetch('/api/profile', {
        headers: {
            'Authorization': `Bearer ${token}`
        }
    });

    const data = await res.json();
    console.log('Profile:', data);
}

📝 Chapter 15 Quiz

1. What is the difference between authentication and authorization?

They are the same thing

Authentication = who you are, Authorization = what you can access

Authentication = what you can access, Authorization = who you are

Authentication is only for admins

2. Why do we hash passwords before storing them?

To make them shorter

To encrypt them so we can decrypt later

So they cannot be reversed if the database is compromised

To make login faster

3. What are the three parts of a JWT?

Header, Payload, Signature

Username, Password, Token

Key, Value, Hash

Request, Response, Status

4. How does the client send a JWT token with each request?

In the URL as a query parameter

In the request body

As a cookie only

In the Authorization header as "Bearer <token>"

5. Why should the login route return the same error for "user not found" and "wrong password"?

To save code and keep it simple

To prevent attackers from discovering which emails are registered

Because the database cannot tell the difference

It does not matter, you can return different errors

← Chapter 14: REST API Chapter 16: Advanced Sequelize →