One of the most important features of web applications is the ability to allow users to authenticate. The application should keep track of the authenticated users; however, web requests are stateless. Each request is treated as an unrelated transaction to any previous request. There are multiple workarounds to keep track of logged users such as sessions, cookies, and tokens. Once we solve the authentication needs, another important feature is authorization. It dictates what the users can see and do inside the app. Authorization assigns roles to the users. For instance, a seller should be able to edit his/her own products but not anyone else's. However, administrators should be able to edit/delete any product that they find inappropriate.
Modern applications allow logins not only through usernames and passwords, but also through social networks. This latter strategy of authentication usually uses OAuth, which is an open protocol that enables secure authentication through third-party applications.
In this context, we are going to cover the following topics in this chapter:
Generally, the task of implementing user authentication can be time-consuming and repetitive. Thankfully, the Yeoman generator gets us started with all the boilerplate code. We will start with the most common authentication strategies. Later, we will make them functional using the Facebook, Google, and Twitter API keys. Then, we will go through the backend authentication and routes. And finally, we are going to create end-to-end tests to make sure the users can log in using their username/password and social authentications.
Let's first take a necessary detour, and explain how the different authentication mechanisms work.
Session-based authentication is one of the most common methods for providing authentication. It uses cookies to save a session ID that is usually related to the user ID. Once the user is logged in, the session ID is passed on each request:
POST
request to the server with the username and password.Token-based authentication uses JSON web tokens instead of cookies. Once the user is logged in, a token is added to the HTTP header of each request to validate the user.
The JSON Web Token authentication diagram might look similar to the session-based authentication, but it brings some advantages that we are going to discuss later.
The main difference is that instead of relying on cookies, it uses an HTTP header to send the authentication token.
Authentication: Bearer TOKEN
.There seems to be only one subtle difference between these two kinds of authentication, but there are great advantages of using JWT over session-based authentication such as the following:
For a deeper understanding about how JWT works, take a look at http://jwt.io/.
OAuth-based authentication is popular on social networks for allowing third-party applications to provide a single sign-on. For instance, you might want to login to an app using your Twitter account information without compromising your Twitter account credentials (username/password). That's what OAuth enables us to do, and it is useful for both registering and signing in as a user with just one click.
The following diagram shows the interactions between the client (the customer's browser), server (the e-commerce application), and the OAuth provider (for example, Twitter). This is called a three-legged OAuth:
oauth_verifier
.oauth_verifier
to exchange the Request Token for an Access Token. The provider grants the Access Token along with the user's profile data.This is one of the most common scenarios for OAuth, and the one that we are going to use in this project.
18.226.159.192