Sachin Gadekar๐ Hello, Devs!
In today's post, we're diving into the crucial concepts of Authentication and Authorization. These terms are often used interchangeably but they serve different purposes in the security realm. Letโs break it down!
๐ Authentication: Who Are You?
Authentication is the process of verifying the identity of a user or entity. Think of it as the gatekeeper asking, "Who are you?" Here are some common methods:
- Username and Password: The most common method.
- Two-Factor Authentication (2FA): Adds an extra layer of security.
- Biometric Verification: Uses fingerprints, facial recognition, etc.
- OAuth: Allows users to log in using another service (like Google, Facebook).
๐ Authorization: What Are You Allowed to Do?
Authorization determines what resources a user can access. It happens after authentication. Think of it as the gatekeeper saying, "Okay, youโre in. Now, what can you do?"
- Role-Based Access Control (RBAC): Permissions are assigned to roles, and users are assigned roles.
- Attribute-Based Access Control (ABAC): Permissions are based on attributes (e.g., time of day, location).
- Access Control Lists (ACLs): Lists that tell what permissions each user has.
๐ ๏ธ Implementing Authentication in Code
Hereโs a quick example using Node.js with Express and Passport.js:
const express = require('express');
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
passport.use(new LocalStrategy(
function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
if (!user.verifyPassword(password)) { return done(null, false); }
return done(null, user);
});
}
));
const app = express();
app.use(require('body-parser').urlencoded({ extended: true }));
app.use(passport.initialize());
app.post('/login', passport.authenticate('local', {
successRedirect: '/',
failureRedirect: '/login'
}));
๐ง Implementing Authorization in Code
Here's an example of RBAC in Express.js:
const roles = {
admin: ['create', 'read', 'update', 'delete'],
user: ['read']
};
function authorize(role, action) {
return (req, res, next) => {
if (roles[role].includes(action)) {
next();
} else {
res.status(403).send('Forbidden');
}
};
}
app.get('/admin', authorize('admin', 'read'), (req, res) => {
res.send('Admin Content');
});
app.get('/user', authorize('user', 'read'), (req, res) => {
res.send('User Content');
});
