Authorization and Authentication for Web Apps

Author: Emmanuel

Date: 2024-12-05

To start we look at what will be covered in this article.

Adding Authentication
Authorization
Industry-Standard Tools and Libraries
Full-Service Authentication and Authorization Providers
Middleware for Protection
Best Practices
Example Workflow
Comparison of session-based authentication and stateless authentication (e.g., JWT), along with recommendations for security-conscious use cases.

Cybersecurity has been a major issue of concern to industries over the last decade. Whether large or small, in today's world almost every business that exists strives to have an online present. Today the majority of potential consumers of any product tend to prefer purchasing and reach out online as a convenient way to get things done. With a business online customers can conveniently access its products and services at the comfort of their home and thus make purchases decisions and get their order without leaving their home.

This convenience advantage has led to the surge of industry mainstreams taking the decisions of digitizing their businesses as often as it has ever been. As businesses embrace digitization in mass, so has cyber crime increased in proportion, thus industries are working tirelessly on ways to tighten security of their digital products and services. More methods like multifactor authentication and passkeys security measures has been one major method that has recently seen increase in adoption by industries. This article will focus on authorization and authentication of application users in a REST API scenario.

Adding authentication and authorization for example, to a REST API with user and product inventory routes is crucial for security. The choice of tools and libraries depends on your stack and requirements. But here are some industry-standard and ways you can secure areas of an web application:

Authentication:

What is authentication:

Authentication refers to a process or situation where a server needs to know or verify who is accessing its content. Authentication would usually go both ways the client also wants to be sure the server provider is really who they say they are, so while the server is trying to verify that the client is who they say they are so does a legitimate client the server. In a single sentence, Authentication verifies the identity of a user.

Industry-Standard Tools and Libraries

1.JWT (JSON Web Tokens):

Library:
- jsonwebtoken (Node.js)
Use Case: Stateless authentication, where the server does not store session data.
How It Works:
- On login, a token is generated and signed with a secret or private key.
- The token is sent to the client and included in every request (usually in the Authorization header as Bearer token ).
- The server verifies the token to authenticate the user.

Basic Example

* TypeScript:

import jwt from 'jsonwebtoken';

const generateToken = (userId: string) => {
  return jwt.sign({ id: userId }, process.env.JWT_SECRET!, { expiresIn: '1h' });
};

const verifyToken = (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) return res.status(401).json({ message: 'Unauthorized' });

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
    req.user = decoded;
    next();
  } catch (err) {
    res.status(403).json({ message: 'Forbidden' });
  }
};

2.OAuth2:

Libraries:
- Passport.js (general-purpose, supports multiple strategies).
- OAuth2orize (for building an OAuth2 provider).
Use Case: When integrating with third-party identity providers (e.g., Google, Facebook, GitHub).
How It Works:
Users log in using third-party accounts, and your API validates the access tokens issued by these providers.

3.Session-Based Authentication:

Library:
- express-session
Use Case: When you need server-side session storage for user authentication.
How It Works:
- On login, the server creates a session and stores it in a database.
- A session cookie is sent to the client for subsequent requests.

Authorization

On the other hand, authorization simply means controlling access to resources based on user roles and permissions.

Industry-Standard Tools and Libraries

1.Role-Based Access Control (RBAC):

Libraries:
- casl (highly flexible for defining abilities and roles).
- accesscontrol (simple RBAC library).
How It Works:
- Define roles (e.g., admin, user, manager).
- Associate permissions with routes (e.g., admin can manage products, user can view inventory).
- Middleware checks user roles/permissions before allowing access.

Example with CASL:

* TypeScript:

import { AbilityBuilder, Ability } from '@casl/ability';

const defineAbilitiesFor = (user) => {
  const { can, cannot, build } = new AbilityBuilder(Ability);

  if (user.role === 'admin') {
    can('manage', 'all'); // Admins can do everything
  } else {
    can('read', 'Product'); // Regular users can only read products
    cannot('delete', 'Product'); // Regular users cannot delete products
  }

  return build();
};

const checkPermission = (action, resource) => (req, res, next) => {
  const ability = defineAbilitiesFor(req.user);
  if (ability.can(action, resource)) {
    return next();
  }
  res.status(403).json({ message: 'Forbidden' });
};

// Use in routes
app.delete('/products/:id', checkPermission('delete', 'Product'), (req, res) => {
  // Product deletion logic
});

2.Attribute-Based Access Control (ABAC):

Libraries:
- casbin (ABAC with flexible policy configurations).
How It Works: Policies define access based on user attributes, resource attributes, and environmental context.

Full-Service Authentication and Authorization Providers

For projects where you don’t want to build these systems from scratch, use managed services:

1.Auth0:

Provides full authentication, authorization, and user management.
Supports passwordless login, social logins, and multi-factor authentication.
Easy to integrate with Express via Auth0 SDK.

2 Firebase Authentication:

Part of Google Firebase.
Handles email/password, social login, and phone authentication.
Best for projects already using Firebase.

3.AWS Cognito:

Amazon’s identity and access management service. AWS Cognito
Ideal for applications deployed on AWS.

4.Okta:

Enterprise-grade identity service.
Great for complex user management needs.

Middleware for Protection

In simple terms, Middleware ensures that only authorized users can access protected routes.

Example Middleware for Authentication:

* TypeScript:

import jwt from 'jsonwebtoken';
import { Request, Response, NextFunction } from 'express';

const authenticate = (req: Request, res: Response, next: NextFunction) => {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) return res.status(401).json({ message: 'Unauthorized' });

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET!);
    req.user = decoded;
    next();
  } catch (err) {
    res.status(403).json({ message: 'Forbidden' });
  }
};

export default authenticate;

5.Best Practices

Use HTTPS:
- Always secure your API with HTTPS to protect sensitive data.
Secure JWTs:
- Use strong secrets for signing tokens.
- Set expiration times for tokens and handle refresh tokens securely.
Rate Limiting:
- Use libraries like express-rate-limit to prevent abuse.
Validate Input:
- Use libraries like Joi or Zod to validate incoming requests.
Audit Logs:
- Maintain logs for authentication and authorization events for monitoring and debugging.

Example Workflow

1.Authentication:

User logs in with email/password.
A JWT is issued and sent to the client

2.Authorization:

Each route checks the user's role/permissions using middleware.
Actions like creating products are restricted to admin users.

3.Protected Routes:

Routes validate the JWT and allow access only if the token is valid.

Comparison of session-based authentication and stateless authentication (e.g., JWT), along with recommendations for security-conscious use cases.

Session-Based Authentication

Session-based authentication involves storing session data on the server and using cookies to maintain user sessions.

How It Works:

User logs in, and the server creates a session (a unique ID linked to the user) and stores it in a database or in-memory store (e.g., Redis).
The session ID is sent to the client as a cookie.
On subsequent requests, the client includes the cookie, and the server retrieves the session data to authenticate the user.

Pros:

Server-Side Control:
- Session data is stored on the server, so the server can invalidate a session at any time (e.g., during logout or for suspicious activity).
Easier to Implement in Monolithic Applications:
- Especially when the frontend and backend are tightly coupled.
More Secure Against Token Theft
- Since cookies can be configured with HttpOnly, Secure, and SameSite attributes, they are less likely to be stolen via client-side attacks like XSS.

Cons:

Scalability Issues
- The server must store session data, which increases memory usage as the number of users grows. Scaling requires a centralized session store (e.g., Redis), which adds complexity.
Tied to Cookies
- Requires careful configuration of cookies (HttpOnly, Secure, SameSite, etc.) to prevent attacks like CSRF and XSS.
Stateful
- Sessions need to be stored and managed, making it less suitable for highly distributed or serverless architectures.

Stateless Authentication (JWT)

Stateless authentication uses self-contained tokens, typically in the form of JSON Web Tokens (JWTs), to authenticate users.

How It Works:

User logs in, and the server generates a signed JWT containing claims (e.g., user ID, roles).
The token is sent to the client (usually stored in Authorization headers or localStorage).
On subsequent requests, the server validates the token's signature without storing any state.

Pros:

Scalability:
- No need to store session data on the server. Each request is stateless, making it ideal for distributed or serverless environments.
Flexibility:
- Tokens can be used across multiple services or APIs without needing centralized session storage.
Performance:
- Eliminates database lookups for session data.

Cons:

Token Revocation
- Once issued, tokens cannot be easily revoked unless you implement a token blacklist, which reintroduces some state.
Security Concerns with Token Storage
- Storing tokens in localStorage exposes them to XSS attacks, while storing them in cookies makes them vulnerable to CSRF attacks (though mitigated with SameSite cookies).
Payload Size
- Tokens can grow large if they include too many claims, which increases request sizes.

Security Considerations

Session-Based Authentication:

Pros for Security:
- Centralized session management allows easy invalidation of compromised sessions.
- HttpOnly and Secure cookies mitigate risks from XSS.
- Strong against CSRF when combined with proper cookie attributes and CSRF tokens.
Cons for Security
- Server needs to trust and properly protect the session store.
- More configuration is required to secure cookies properly.

Stateless Authentication (JWT):

Pros for Security:
- Tokens are signed, so they cannot be tampered with.
- Can include expiration times to limit the window for token abuse.
Cons for Security:
- Difficult to revoke tokens without additional mechanisms like a blacklist.
- Tokens stored in the client are vulnerable to theft, requiring secure storage and transport mechanisms.

Best Choice for Security

The best choice depends on your architecture and specific requirements. Here’s a recommendation based on security concerns:

Use Session-Based Authentication When:

You are building a monolithic application with centralized session storage.
You prioritize security over scalability (e.g., banking apps, internal enterprise systems).
You want fine-grained control over session invalidation.

Use Stateless Authentication (JWT) When:

You are building a distributed or serverless application.
Scalability and performance are critical.
You are comfortable implementing additional security measures (e.g., token rotation, blacklisting, shorter token lifetimes).

Hybrid Approach (Best Practice for Security and Scalability)

You can combine the strengths of both approaches:

Use stateless JWTs for initial authentication but issue short-lived tokens.
Use a refresh token stored in a secure, HttpOnly cookie for reissuing tokens when they expire.
Implement a token blacklist or a token revocation list to handle compromised tokens.

Example:

JWT for access: Short-lived token (e.g., 15 minutes) stored in memory or headers.
Refresh token: Long-lived, securely stored (e.g., in an HttpOnly cookie).
Backend logic
- Validate access tokens for normal requests.
- Use refresh tokens only when access tokens expire.
- Maintain a blacklist of revoked refresh tokens.

Summary Table

Feature	Session-Based Authentication	Stateless Authentication (JWT)
Scalability	Limited, requires session store	Highly scalable
Ease of Implementation	Simpler for monoliths	Simpler for distributed systems
Security	Stronger control, revocable	Harder to revoke
Storage	Server-side	Client-side
Use Case	Banking, enterprise systems	Distributed systems, APIs, microservices

Conclusion

For security-sensitive use cases, session-based authentication with well-configured cookies is generally safer. For distributed systems, consider a hybrid approach to balance security and scalability.

Recomendation and Example

When combining Passport.js with JWT (stateless authentication), the industry-standard strategy is the passport-jwt strategy. This approach leverages JSON Web Tokens for authentication while benefiting from Passport's modularity and middleware-based integration.

Why passport-jwt?

1.Stateless Authentication:

No need for server-side session management. The server only validates the JWT, which contains all the necessary user information.

2.Compatibility:

passport-jwt works seamlessly with token-based workflows, such as API authentication or Single Page Applications (SPAs).

3.Security:

JWTs are signed using a secret (HS256) or private/public key pair (RS256), ensuring tamper-proof authentication tokens.

4.Flexibility:

Works well with other Passport strategies, allowing a hybrid approach (e.g., OAuth2 for initial login, JWT for subsequent requests)

Typical Setup for `passport-jwt`

1.Install Required Packages

bash
npm install passport passport-jwt jsonwebtoken

2.Configure the JWT Strategy

import passport from 'passport';
import { Strategy as JwtStrategy, ExtractJwt } from 'passport-jwt';

// Your secret or private key
const JWT_SECRET = process.env.JWT_SECRET || 'your_secret_key';

// JWT options
const opts = {
  jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
  secretOrKey: JWT_SECRET,
};

// Define the strategy
passport.use(
  new JwtStrategy(opts, async (jwtPayload, done) => {
    try {
      // Example: Validate the user based on the payload
      const user = await findUserById(jwtPayload.id); // Replace with your DB call
      if (user) {
        return done(null, user); // Pass user to req.user
      }
      return done(null, false); // No user found
    } catch (error) {
      return done(error, false);
    }
  })
);

3.Issue a JWT on Login
Use a library like jsonwebtoken to generate a token when the user logs in.

import jwt from 'jsonwebtoken';

const JWT_SECRET = process.env.JWT_SECRET || 'your_secret_key';

function generateToken(user) {
  return jwt.sign(
    { id: user.id, username: user.username, role: user.role }, // Payload
    JWT_SECRET,
    { expiresIn: '1h' } // Expiration time
  );
}

4.Protect Routes Using Middleware

import express from 'express';

const app = express();

// Protect an endpoint
app.get(
  '/protected',
  passport.authenticate('jwt', { session: false }),
  (req, res) => {
    res.json({ message: 'You are authorized!', user: req.user });
  }
);

Best Practices When Using `passport-jwt`

1.Use Short-Lived Tokens:

Set the JWT expiration (exp) to a short time (e.g., 15 minutes) and implement a refresh token mechanism for re-issuing tokens securely.

2.Secure Token Storage:

Store tokens securely on the client:
Use HttpOnly cookies for web applications (mitigates XSS attacks).
Avoid storing tokens in localStorage or sessionStorage unless necessary.

3.Validate Tokens on Each Request:

Ensure token signatures and expiration times are validated for every incoming request.

4.Token Revocation:

Implement a token blacklist or revocation mechanism (e.g., storing revoked tokens or sessions in a database) for high-security requirements.

5.Combine with Other Strategies:

Use passport-local for login and token issuance:
Authenticate username/password using passport-local.
Issue a JWT on successful login.

Example Hybrid Flow: Combining passport-local with passport-jwt

1.Install passport-local

bash
npm install passport-local

2.Configure passport-local

TypeScript:

import { Strategy as LocalStrategy } from 'passport-local';

// Example local strategy
passport.use(
  new LocalStrategy(async (username, password, done) => {
    try {
      const user = await findUserByUsername(username); // Replace with your DB call
      if (!user || !validatePassword(user, password)) {
        return done(null, false, { message: 'Invalid credentials' });
      }
      return done(null, user);
    } catch (error) {
      return done(error);
    }
  })
);

3.Login Route (Issue JWT)

TypeScript:

app.post('/login', (req, res, next) => {
  passport.authenticate('local', { session: false }, (err, user, info) => {
    if (err || !user) {
      return res.status(401).json({ message: info?.message || 'Unauthorized' });
    }

    // Generate token
    const token = generateToken(user);
    return res.json({ token });
  })(req, res, next);
});

Summary

Feature	Session-Based (passport-local)	JWT-Based (passport-jwt))
Statefulness	Requires session store	Stateless
Scalability	Limited	Highly scalable
Security	Centralized control	Decentralized, token revocation needed
Best Use Case	Monolithic apps	Distributed apps, APIs

Was this page helpful?

If you find this article helpful, please feel free to share the link.

Yes👍 No👎