Auth and HTTP Deep Dive

Types are JWT/token based authentication and cookie-based authentication.

When we sign in to an app/site i.e. give my creds, press “sign-in”, POST request goes to /signin endpoint on the server, it extracts my username and password, checks and validates if the creds are present in database, if yes, i am signed in and the server returns me a token (need to keep safe) as this token will help me to identify myself to the particular server in the future. This token gets stored in my browser.

Now in all subsequent requests to the server (GET/POST/…), I am sending the above token along with the request which lets the server know that its me…this token is unique to me. This token allows persistent sessions as I am only logging in once and using this token, I can access anything on the app until I log out. Auth workflow below:

Although 2 people send request to the same endpoint GET/ courses, they get back different data i.e. only the courses they bought how??

because the token is something like : { user_id : 123,ttl : 12} for one user and for other {user_id : 345,ttl:11}

so when they access same route, the server extracts the user_id from the token present in the incoming request and checks if that user-id present in dB …if yes, sends me back only the courses associated to that user id i.e. dB[123] will have different courses than dB[456].

So, after the user successfully logged in and we send him the token, we create authenticated endpoints (all the endpoints which will expect the earlier sent token in the request body).

The problem is that we need to send a request to the database every time the user wants to hit an authenticated endpoint when using basic tokens. Hence. we use JWT’s.

Normal tokens are stateful tokens i.e. need to be stored in a database….unlike JWT’s.

JWT’s can be decoded by anyone to get the username/email but verification can only be done using JWT_SECRET. Verification is different from decoding as former confirms that the email/username belongs to me whereas latter just gives me back the associated email with the JWT.

FE→BE workflow :

We send a request to backend with our credentials so that we can get logged in.
The creds go through a middleware which performs the checks & validation. If everything looks good, it will forward the request to the next route handler else it terminates the request.
On reaching appropriate login route, backend extracts the creds from req.body and checks if a user exists in db./in-memory array with the same creds.
If yes, it generates a JWT token using the user’s username and sends it back to the frontend(this is basically a unique ID proof for the user who generated the request in the first place).
Frontend on receiving the response/JWT from backend stores it in localStorage(basically if FE gets back JWT, its proof that we have logged in successfully) so we get navigated to the next page (which only authenticated users can access)
In the next page, initially we generate another fetch request to get the authenticated user’s data from backend and in the request headers we attach the JWT stored in localStorage, so that backend , on seeing the jwt knows that we are an authenticated user.
Using jwt.verify, if we get back a username which exists in db/in-memory variable, we send back the data associated with that username to the FE else we respond with a message “Invalid token”