本篇笔记是以 Mason 老师的 Lecture 24 Node.js (Part 8) 的课堂内容整理的随堂笔记。
- Authentication: who are you
- Common authentication methods include identity verification protocols (such as OAuth, OpenID Connect), token-based authentication (such as JWT), and certificate authentication.
- Authorization: what can you do
- Common authorization mechanisms include Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Policy-Based Access Control, and others.
Continued from the previous course Repo: source code
- Unique, for example
username
- Auth controller includes business logic for register and login
- User controller includes CRUD operations for user data
- Generally, CMS does not allow external user registration, usually new users are created by super administrators (create user in user controller).
409 Conflict
: User already exists when creating a user401 Unauthorized
: Username or password incorrect during login
- Method One:
- Hash encryption is non-reversible, it can only be used to compare hash passwords stored in the database with hash passwords entered by users.
- Salt: Makes the hash encryption method random, but it results in plaintext storage.
- Pepper: Results in non-plaintext storage, usually unnecessary.
- Method Two:
- Mongoose provides Schema.method for custom methods to verify passwords. And call it in the controller.
- Cannot use arrow functions because it needs to use
this
.
- header + payload + verify signature
- advantages:
- stateless server (state in token)
- cross origin/ cross domain
- disadvantages:
- Once JWT token is issued, it remains valid until it expires
- That means administrators cannot forcibly log out a particular account at any given moment.
- Once JWT token is issued, it remains valid until it expires
- for server side rendering
- advantages:
- CSRF
- state server (state in session)
- It can record some user information and behavior.
Sometimes both
token
andcookie
are used.
- Typically, a secret is generated and managed by DevOps using scripts.
- Set expiration time.
- Access token and refresh token.
utils/jwt.js
:jwt.sign()
andjwt.verify()
- Use try{} catch(e){} when using
jwt.verify()
. - When parsing
token
usingjwt.verify
(), you can obtain the role and user's permissions.
- Use try{} catch(e){} when using
- When to return a token:
- After logging in.
- Do not return a token after registration because it involves email verification (usually handled by third-party packages).
-
Add a "locked" attribute to user data to manage and modify the blocked status of the account.
{ "_id": ObjectId("123456789012345678901234"), "username": "example_user", "email": "user@example.com", "password": "hashed_password", "locked": false }
- RBAC: Role-Based Access Control
- Multiple roles
- For example:
- Admin: Add, Delete, Post, Put
- User: Add, Post, Put
- For example:
- Multiple roles
- ABAC - Attribute-Based Access Control (Same role, custom operation permissions)
- In large-scale projects, for easier management, authentication verification might be placed in controllers or services rather than using middleware.
- Establish and associate a third-party login database.
- Alternatively, utilize existing third-party libraries.