Authentication - KeynesYouDigIt/Knowledge GitHub Wiki

Concepts

Sessions

Sessions store user information so that you don't need to look it up or reauthenticate every time

• You can store sessions in a data store on the server, and access them with a key stored in a cookie on the user's browser
• You can store sessions in JWTs, which are encrypted and decrypted by the server, and kept in local storage on the user's browser

Verification

Once you have a user's credentials, you need to make sure they are a valid user.

• Hashing, etc. happens here
• You can use their credentials to look them up in a database

Strategies

• Local - Username/Password from a form, stored locally
• Basic - Username/Password from a header, stored locally
• OAuth/Social - User redirects to a third-party site, returns with an authorization key
• JWT - Encrypt/Decrypt a session that the app makes, but the user stores

Third-Party Authentication

• Generally have to get a client ID and client secret from them, and send OAuth requests to them with these
• You may also have to white-list callback URLs/patterns
• Your app sends a user to a route that fires off the OAuth redirect
• When the user's browser redirects to the third-party, it knows how to get back to the site because of the callback URL
• The callback URL should try to authenticate the user, redirect back to login in case of a failure, or redirect to a route in case of success