Authentication and Authorization

Module Summary

This module provides a comprehensive introduction to web security, focusing on authentication and authorization. Learners will explore fundamental concepts like password security and session management, and implement various authentication mechanisms, including basic credential-based login, token-based authentication with JSON Web Tokens (JWT), and third-party login with OAuth. The module is primarily conceptual, aiming to build a strong understanding of security principles and popular Node.js packages like Passport.

Learning Objectives

Implement a basic authentication system, including user login and registration functionality.
Apply best practices for password security, including hashing and password reset mechanisms.
Utilize token-based authentication using JSON Web Tokens (JWT) to secure web applications.
Integrate OAuth with third-party providers like Google, Facebook, or GitHub for user authentication.

Learning Outcomes

Learners will be able to design and implement secure authentication and authorization solutions for modern web applications.

Module Outline

Lesson 1: Foundations of Web Authentication & Password Security

Time: 2.5 hours
Topics:
- Core Concepts: Authentication vs. Authorization.
- User Models and Schemas.
- Password Security: Hashing and salting with bcrypt.
Activities:
- Practice hashing and comparing passwords using bcrypt.
Knowledge Check:
- Questions on hashing principles and secure user schema design.

Lesson 2: Session and Token-Based Authentication

Time: 3 hours
Topics:
- Stateful vs. Stateless Authentication.
- Introduction to JSON Web Tokens (JWTs): Structure, signing, and verification.
- Storing and transmitting tokens on the client-side.
Activities:
- Create, sign, and decode a JWT.
Knowledge Check:
- Compare and contrast session-based and token-based authentication.

Time: 2 hours (asynchronous)
Task: Build a simple API with user registration and login endpoints.
Objective: Demonstrate the ability to create new users with hashed passwords and validate user credentials upon login.

Lesson 3: Securing API Endpoints

Time: 2.5 hours
Topics:
- Protecting Routes with Authentication Middleware.
- Implementing basic authorization (e.g., checking user roles).
- Introduction to Passport.js for authentication strategies.
Activities:
- Write an Express middleware to verify a JWT and protect an endpoint.
Knowledge Check:
- Debugging scenarios involving protected routes and incorrect tokens.

Lab 2: Secure Record Storage

Time: 1 hour
Task: Secure a pre-existing API so that users can only view and manage records they own.
Objective: Implement token-based authorization to restrict access to resources based on user ownership.

Lesson 4: Third-Party Authentication with OAuth

Time: 2 hours
Topics:
- Understanding the OAuth 2.0 Flow.
- Registering an application with a third-party provider (e.g., Google, GitHub).
- Integrating an OAuth strategy using Passport.js.
Activities:
- Configure an OAuth application in a provider’s developer console.
Knowledge Check:
- Diagramming the OAuth data flow from user request to successful login.

Lab 3: OAuth Integration

Time: 2 hours (asynchronous)
Task: A reading assignment on the nuances of a real-world OAuth implementation, followed by a written reflection.
Objective: Articulate the steps, security considerations, and user experience trade-offs of adding third-party login to an application.

Assessments

Skills-Based Assessment (SBA): Secure Web Portal

Time: 5.5 hours
Format: Practical project
Activity: Build a secure Express application where users can register, log in (via credentials and a third-party provider), and manage a collection of private resources (e.g., notes, bookmarks).
Deliverable: A GitHub repository containing the fully functional and secure API.

Knowledge-Based Assessment (KBA): Auth Principles

Time: 1.5 hours (asynchronous)
Format: Multiple-choice questions.
Activity: A 30-point test covering core authentication concepts, password security best practices, JWT structure and usage, and the OAuth 2.0 flow.