Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/eby8zevin/authentication-and-authorisation-with-expressjs


https://github.com/eby8zevin/authentication-and-authorisation-with-expressjs

Last synced: about 1 month ago
JSON representation

Awesome Lists containing this project

README 

        
# authentication-and-authorisation-with-expressjs



### 1. Understanding Authentication and Authorization



**Authentication:**

- **Definition:** Authentication is the process of verifying the identity of a user or system. It ensures that the person or system is who they claim to be.

- **Example:** When a user logs in with a username and password, the system checks if these credentials match the records in the database.



**Authorization:**

- **Definition:** Authorization determines what an authenticated user is allowed to do. It involves setting permissions and rules about which resources a user can access and what actions they can perform.

- **Example:** After logging in, a user might have access only to their own data and not to others', or a regular user might not have the ability to delete other users, which could be restricted to admins only.



### 2. Evaluating the Requirement



**"This delete user functionality can be done after authentication"**



**Is it a good or bad idea?**



- **Good Idea:**

  - **Security Control:** Allowing delete functionality only after authentication ensures that only recognized users can attempt to perform this action. This prevents unauthorized or anonymous entities from carrying out such critical operations.

  - **Data Integrity:** Authentication ensures that the system knows who is making the request, which is crucial for accountability, especially for actions that impact data integrity, like deleting a user.



- **Bad Idea:**

  - **Missing Authorization:** Simply authenticating a user is not sufficient. Being authenticated does not mean the user should be authorized to delete accounts. For instance, a regular user should not have the ability to delete other users’ accounts, which could lead to data breaches and misuse.

  - **Security Risks:** If the delete functionality is available to authenticated users without proper authorization checks, it could be exploited. For example, a malicious user could delete other users' accounts, causing significant data loss and security issues.



### 3. Difference Between Authentication and Authorization



**Authentication:**

- Focuses on confirming the user's identity.

- Example: Checking a username and password.



**Authorization:**

- Determines the resources and actions a user is permitted to access.

- Example: Ensuring that only admins can delete other users.



**Diagram to Illustrate the Difference:**



`User -> Authentication (Login) -> Authorization (Access Control) -> Perform Actions (e.g., delete user)`



**Explanation:**

- In this process, authentication is the initial step where the system verifies who the user is. After authentication, authorization checks what actions the user is allowed to perform. Only if the user is authorized to delete a user should they be able to proceed.



### 4. Conclusion



In conclusion, while authentication is crucial for verifying user identity, it should always be accompanied by proper authorization. Authentication alone does not guarantee that users should be able to perform sensitive actions like deleting other users. Proper authorization checks are essential to ensure that only users with the right permissions (e.g., admins) can execute such critical operations.



By addressing both authentication and authorization, you can ensure a secure and controlled system where users have appropriate access and actions based on their roles and permissions.