User Authentication in Web Apps - Alexandria Thylane Rohn

OAuth is just a protocol. #### User Authentication Choices From least complex to most complex: - Session - JSON Web Tokens - OAuth (In-House and SaaS) - Other / Ad-Hoc There's a big difference between authorization and authentication. Authentication is about knowing who the user is. Authorization is about who has access to what resources. #### Passport.js - Passport.js is middleware for Node.js that uses different "strategies" to flexibly perform different types of authentication. - It offers a wide range of strategies: OAuth, local (username & password), etc. - On each HTTP request, Passport will use a strategy to determine whether the requestor has permission to access that resource. If the user does not have permission, a *401 Unauthorized* is returned. #### HTTP headers - HTTP headers are basically metadata included with HTTP requests and responses. - An HTTP header consists of its names followed by a colon (`:`), then its value. - Examples of HTTP headers: - `User-Agent`: The type of device and browser making a request. - `Content-Type`: Signifies if the body content is text, HTML, JSON, etc. - `Strict-Transport-Security` (HSTS): Enforces HTTPS connections to the sever. - `Cache-Control`: Directs the caching mechanisms in browsers and CDNs. - `Set-Cookie`: Used by the server to send a cookie to the client. #### Cookies - Cookies play a pivotal role in web authentication, primarily session management, enabling servers to store and retrieve state on the client's browser. - Cookies are crucial for maintaining session state across *stateless* HTTP transactions. - When a client makes a request to a server, the server responds with a `Set-Cookie` header. The browser stores and sends the `Cookie` header with every request made to the same domain. - Cookies can store user IDs or other identifiers, enabling the server to identify the client. - Cookies can introduce privacy and security risks. - Implement HTTPS throughout your app to ensure cookies are encrypted during transit. - Use the `HttpOnly`, `Secure`, and `SameSite` attributes to mitigate risks.