Authentication vs Authorization

Authentication is the process of verifying an identity, e.g. you’re actually michael

Authorization is the process of verifying what someone is allowed to do, e.g. permissions

Auth flow: username and pass (sent to) -> an endpoint, e.g, /login, /signup, which returns a JSON web token

The password will be hashed with an adaptive function, e.g. bcrypt. This means that in time we can increase the iteration count to make it slower so it’s resistant to brute-force search attacks.

For bcrypt salt rounds — 10 is a good start.

A bcrypt work factor of 12 means it’d take approximately 12 years to crack a password (of course this is dependent on hardware) whereas the same hardware would need 40 seconds to determine a password from an MD5.

For a sign up, we save the hashed password + a username to a SQL table, then send back a JWT, which could require a user to validate his/her email first.

If use only need to login, we hash the password using bcrypt, compare the hash with what’s in the database, and if they match, send a JWT. If not, we send an HTTP 401 status code.

JWT (JSON Web Token) –

This is a secure way to transfer claims between 2 parties. The claims can be digitally signed or encrypted and the integrity is of the message is protected.

JWT payloads / claims are easily viewable so it’s not confidential.

JWTs have a header (a base64 encoded JSON with “alg” and “type”).

The payload / claims are also base64 encoded JSON with:

  • “iss” (Issuer) claim
  • “sub” (Subject) claim
  • “aud” (Audience) claim
  • “exp” (Expiration Time) claim

More are available at:

Signature for the integrity of your message.

HMACSHA256( base64UrlEncode(header) + “.” + base64UrlEncode(payload), 256 bit secret) = secret base64 encoded

LocalStorage / SessionStorage – protects against CSRF as there are no cookies

LocalStorage / SessionStorage – every request requires an auth token and it’s vulnerable to XSS (cross-site scripting) attacks

Cookies – if httpOnly, attacks are mitigated because javascript can’t access the cookie; cookies are sent automatically so you don’t have to code this, however this create a CSRF issue; we mitigate this problem using 2FA and sanitizing input via escaping all input we receive; also we can set our cookies with SameSite setting so that cookies aren’t sent to different domains; we can also use CSRF tokens to forms to protect against CSRF; and finally, enable secure cookies only.

Require re-auth for sensitive features.


Authentication for API Routes using JWT and Bcrypt (Video)