# authentication and authorization

authentication mechanism to assign an identity to a subject and basically to asnwer questions 'who are you?' in a given context (platofmr, os, phonr). the process of answering this question is authentication


authorization is process of answering the question 'what can you do??'  in a particular contect like platform, os ,phone.  

# Authentication vs Authorization (From First Principles)

You've got the core concepts right. Let me refine and expand them precisely.

---

## Core Definitions

### Authentication
**Question:** "Who are you?"

**Definition:**
The process of **verifying identity** — proving that you are who you claim to be.

**Example:**
- You claim: "I am user 'zohaib'"
- System asks: "Prove it"
- You provide: password, fingerprint, token
- System verifies: ✅ "Yes, you are zohaib" or ❌ "No, you're not"

**Key point:** Authentication doesn't care what you're allowed to do. It only establishes identity.

---

### Authorization
**Question:** "What are you allowed to do?"

**Definition:**
The process of **verifying permissions** — determining what actions an authenticated user can perform.

**Example:**
- System knows: "You are zohaib" (already authenticated)
- You try: "Delete user account"
- System checks: "Does zohaib have delete permission?"
- System allows or denies

**Key point:** Authorization requires authentication first. You can't check permissions without knowing who you are.

---

## The Relationship

**Authentication comes FIRST, authorization comes SECOND.**

```
User Request
    ↓
Authentication: Who are you?
    ↓
    ✅ Authenticated (identity verified)
    ↓
Authorization: What can you do?
    ↓
    ✅ Authorized (permission granted)
    ↓
Action Performed
```

**Without authentication:**
- No authorization possible
- System doesn't know who you are
- Can't check permissions

**With authentication but no authorization:**
- System knows who you are
- But denies all actions (no permissions)

---

## Real-World Analogy

**Airport Security:**

**Authentication (ID check):**
- Guard asks: "Who are you?"
- You show: Passport
- Guard verifies: Photo matches face, passport is valid
- Result: ✅ "You are John Doe"

**Authorization (Boarding pass check):**
- Guard asks: "Which flight can you board?"
- You show: Boarding pass for Flight 123
- Guard verifies: Boarding pass is valid, matches your ID
- Result: ✅ "You can board Flight 123" or ❌ "Wrong flight"

**Key insight:**
- Passport = authentication (proves who you are)
- Boarding pass = authorization (proves what you can access)

---

## Authentication Mechanisms

### 1. Password-Based Authentication

**How it works:**
```
User → username + password → Server
Server → hash password → compare with stored hash
Match? → ✅ Authenticated
```

**Example:**
```javascript
// User sends
{
  "username": "zohaib",
  "password": "mypassword123"
}

// Server verifies
const storedHash = db.getPasswordHash("zohaib");
const inputHash = bcrypt.hash("mypassword123");

if (storedHash === inputHash) {
  // Authenticated ✅
  return generateToken(user);
} else {
  // Not authenticated ❌
  return 401 Unauthorized;
}
```

**Security rules:**
- ❌ Never store plain passwords
- ✅ Always hash (bcrypt, argon2)
- ✅ Add salt (random data to hash)
- ✅ Use HTTPS (encrypt in transit)

**Pros:**
- ✅ Simple
- ✅ Universal

**Cons:**
- ❌ Passwords can be weak
- ❌ Passwords can be stolen
- ❌ Users reuse passwords

---

### 2. Token-Based Authentication

**How it works:**
```
1. User logs in with username/password
2. Server generates token (JWT, session token)
3. Client stores token
4. Client sends token with every request
5. Server verifies token
```

**Example with JWT:**

**Login:**
```javascript
// Step 1: User logs in
POST /login
{
  "username": "zohaib",
  "password": "mypassword123"
}

// Step 2: Server returns JWT
200 OK
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
```

**JWT structure:**
```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

↓ Decode

Header:
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622  // Expiration
}

Signature:
HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)
```

**Subsequent requests:**
```javascript
GET /api/users/profile
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

// Server verifies signature
// Extracts user ID from payload
// Knows: This is user 1234567890
```

**Pros:**
- ✅ Stateless (server doesn't store sessions)
- ✅ Scalable
- ✅ Works across domains
- ✅ Self-contained

**Cons:**
- ❌ Can't revoke (until expiration)
- ❌ Token can be stolen
- ❌ Payload visible (base64, not encrypted)

---

### 3. Session-Based Authentication

**How it works:**
```
1. User logs in
2. Server creates session, stores in database/Redis
3. Server sends session ID to client (cookie)
4. Client sends session ID with every request
5. Server looks up session
```

**Example:**

**Login:**
```javascript
POST /login
{
  "username": "zohaib",
  "password": "mypassword123"
}

// Server creates session
sessionId = generateUUID();  // "abc123..."
redis.set(sessionId, { userId: 123, ...});

// Server sends cookie
Set-Cookie: sessionId=abc123...; HttpOnly; Secure; SameSite=Strict
```

**Subsequent requests:**
```javascript
GET /api/users/profile
Cookie: sessionId=abc123...

// Server looks up session
session = redis.get("abc123...");
userId = session.userId;  // 123
// Knows: This is user 123
```

**Pros:**
- ✅ Can revoke immediately (delete session)
- ✅ Server has full control
- ✅ Session data server-side (secure)

**Cons:**
- ❌ Requires server storage
- ❌ Harder to scale (sticky sessions)
- ❌ Doesn't work across domains easily

---

### 4. OAuth 2.0 / OpenID Connect

**What it is:**
Delegated authentication. "Login with Google/Facebook/GitHub"

**How it works:**
```
1. User clicks "Login with Google"
2. Redirect to Google
3. User logs in at Google (not your site)
4. Google redirects back with auth code
5. Your server exchanges code for access token
6. Your server uses token to get user info from Google
```

**Flow:**
```
Your App
  ↓ redirect
Google Login
  ↓ user authenticates
Google
  ↓ redirect with code
Your App
  ↓ exchange code for token
Google
  ↓ returns access token
Your App
  ↓ use token to get user info
Google API
  ↓ returns user profile
Your App (now knows who user is)
```

**Pros:**
- ✅ No password storage
- ✅ Users trust Google/Facebook
- ✅ Single sign-on
- ✅ Social features easy

**Cons:**
- ❌ Depends on third party
- ❌ More complex flow
- ❌ Privacy concerns

---

### 5. Multi-Factor Authentication (MFA)

**What it is:**
Requires multiple proofs of identity.

**Three factors:**
1. **Something you know:** Password, PIN
2. **Something you have:** Phone, hardware key
3. **Something you are:** Fingerprint, face

**Example flow:**
```
1. User enters password (factor 1)
2. Server sends SMS code to phone
3. User enters code (factor 2)
4. ✅ Authenticated
```

**Methods:**
- SMS codes (weak, SIM swapping attacks)
- Authenticator apps (TOTP: Google Authenticator, Authy)
- Hardware keys (YubiKey, USB keys)
- Biometrics (fingerprint, face)

**Pros:**
- ✅ Much more secure
- ✅ Even if password stolen, attacker can't login

**Cons:**
- ❌ User friction
- ❌ Can lose second factor

---

### 6. Biometric Authentication

**What it is:**
Using physical characteristics.

**Types:**
- Fingerprint
- Face recognition (Face ID)
- Iris scan
- Voice recognition

**How it works:**
```
1. System captures biometric (finger, face)
2. Converts to template/hash
3. Compares with stored template
4. Match → ✅ Authenticated
```

**Pros:**
- ✅ Can't forget
- ✅ Can't share
- ✅ Fast

**Cons:**
- ❌ Can't change (if compromised)
- ❌ Privacy concerns
- ❌ False positives/negatives

---

### 7. API Keys

**What it is:**
Static tokens for machine-to-machine auth.

**Example:**
```
GET /api/data
X-API-Key: sk_live_51HaZgJ2eZvKYlo2C...
```

**Use cases:**
- Third-party integrations
- Server-to-server communication
- Webhooks

**Pros:**
- ✅ Simple
- ✅ No user interaction

**Cons:**
- ❌ Static (if leaked, compromised until rotated)
- ❌ No expiration by default
- ❌ Hard to track individual users

---

## Authorization Mechanisms

### 1. Role-Based Access Control (RBAC)

**Concept:**
Users have roles. Roles have permissions.

**Structure:**
```
User → Role → Permissions
```

**Example:**

**Roles:**
```javascript
roles = {
  admin: ["read", "write", "delete", "manage_users"],
  editor: ["read", "write"],
  viewer: ["read"]
}
```

**Assignment:**
```javascript
users = {
  zohaib: { role: "admin" },
  john: { role: "editor" },
  jane: { role: "viewer" }
}
```

**Check:**
```javascript
function canDelete(user) {
  const userRole = users[user].role;
  const permissions = roles[userRole];
  return permissions.includes("delete");
}

canDelete("zohaib");  // true (admin)
canDelete("john");    // false (editor)
```

**Database schema:**
```sql
CREATE TABLE users (
  id INT PRIMARY KEY,
  username VARCHAR(255),
  role_id INT
);

CREATE TABLE roles (
  id INT PRIMARY KEY,
  name VARCHAR(255)
);

CREATE TABLE permissions (
  id INT PRIMARY KEY,
  name VARCHAR(255)
);

CREATE TABLE role_permissions (
  role_id INT,
  permission_id INT
);
```

**Pros:**
- ✅ Simple to understand
- ✅ Easy to manage
- ✅ Scalable

**Cons:**
- ❌ Role explosion (too many roles)
- ❌ Not fine-grained enough sometimes

---

### 2. Attribute-Based Access Control (ABAC)

**Concept:**
Permissions based on attributes (user, resource, environment).

**Structure:**
```
Decision = f(user attributes, resource attributes, action, context)
```

**Example:**

**Policy:**
```javascript
{
  "effect": "allow",
  "action": "read",
  "resource": "document",
  "condition": {
    "user.department": "engineering",
    "resource.classification": "internal",
    "time": "business_hours"
  }
}
```

**Check:**
```javascript
function canAccess(user, resource, action, context) {
  // User attributes
  if (user.department !== "engineering") return false;
  
  // Resource attributes
  if (resource.classification === "top_secret") return false;
  
  // Context
  if (context.time < 9 || context.time > 17) return false;
  
  return true;
}
```

**Pros:**
- ✅ Very flexible
- ✅ Fine-grained control
- ✅ Dynamic decisions

**Cons:**
- ❌ Complex to implement
- ❌ Hard to debug
- ❌ Performance overhead

---

### 3. Access Control Lists (ACL)

**Concept:**
Each resource has a list of who can access it.

**Structure:**
```
Resource → List of (User, Permission)
```

**Example:**

**Document ACL:**
```javascript
document_123.acl = [
  { user: "zohaib", permission: "owner" },
  { user: "john", permission: "read" },
  { user: "jane", permission: "write" }
]
```

**Check:**
```javascript
function canEdit(user, documentId) {
  const document = getDocument(documentId);
  const userEntry = document.acl.find(entry => entry.user === user);
  
  if (!userEntry) return false;
  
  return ["owner", "write"].includes(userEntry.permission);
}
```

**Database schema:**
```sql
CREATE TABLE documents (
  id INT PRIMARY KEY,
  title VARCHAR(255)
);

CREATE TABLE document_acl (
  document_id INT,
  user_id INT,
  permission VARCHAR(50)
);
```

**Pros:**
- ✅ Per-resource control
- ✅ Flexible

**Cons:**
- ❌ Hard to manage at scale
- ❌ ACL can get large
- ❌ No inheritance

---

### 4. Permission-Based Access Control

**Concept:**
Direct user-to-permission mapping (no roles).

**Structure:**
```
User → Permissions (directly)
```

**Example:**
```javascript
users = {
  zohaib: ["users.create", "users.delete", "posts.create"],
  john: ["posts.create", "posts.edit"],
  jane: ["posts.read"]
}

function hasPermission(user, permission) {
  return users[user].includes(permission);
}
```

**Pros:**
- ✅ Maximum flexibility
- ✅ Fine-grained

**Cons:**
- ❌ Hard to manage (assign permissions to every user)
- ❌ No grouping

---

## Complete Authentication + Authorization Flow

**Example: REST API with JWT**

### 1. Login (Authentication)

```javascript
// Client
POST /api/auth/login
Content-Type: application/json

{
  "username": "zohaib",
  "password": "mypassword123"
}
```

```javascript
// Server
app.post('/api/auth/login', async (req, res) => {
  const { username, password } = req.body;
  
  // 1. Find user
  const user = await db.users.findOne({ username });
  if (!user) {
    return res.status(401).json({ error: "Invalid credentials" });
  }
  
  // 2. Verify password
  const valid = await bcrypt.compare(password, user.passwordHash);
  if (!valid) {
    return res.status(401).json({ error: "Invalid credentials" });
  }
  
  // 3. Generate JWT token
  const token = jwt.sign(
    {
      userId: user.id,
      username: user.username,
      role: user.role  // Include role for authorization
    },
    process.env.JWT_SECRET,
    { expiresIn: '24h' }
  );
  
  // 4. Return token
  res.json({ token });
});
```

**Response:**
```json
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
```

---

### 2. Protected Request (Authentication + Authorization)

```javascript
// Client
GET /api/users/456
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```

```javascript
// Server - Authentication Middleware
function authenticate(req, res, next) {
  const authHeader = req.headers.authorization;
  
  if (!authHeader) {
    return res.status(401).json({ error: "No token provided" });
  }
  
  const token = authHeader.split(' ')[1];  // "Bearer TOKEN"
  
  try {
    // Verify token
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    
    // Attach user to request
    req.user = decoded;
    next();
  } catch (err) {
    return res.status(401).json({ error: "Invalid token" });
  }
}

// Server - Authorization Middleware
function authorize(requiredPermission) {
  return (req, res, next) => {
    const userRole = req.user.role;
    const permissions = roles[userRole];
    
    if (!permissions.includes(requiredPermission)) {
      return res.status(403).json({ error: "Forbidden" });
    }
    
    next();
  };
}

// Server - Route
app.get('/api/users/:id',
  authenticate,              // Check identity
  authorize('users.read'),   // Check permission
  async (req, res) => {
    const user = await db.users.findById(req.params.id);
    res.json(user);
  }
);
```

---

## HTTP Status Codes

**401 Unauthorized:**
- Means: Authentication failed
- "Who are you?" → Can't verify
- Missing/invalid credentials

**403 Forbidden:**
- Means: Authorization failed
- "Who are you?" → Verified ✅
- "What can you do?" → Not allowed ❌
- Valid credentials, insufficient permissions

**Example:**
```javascript
// No token → 401
GET /api/users
// No auth header

// Invalid token → 401
GET /api/users
Authorization: Bearer invalid_token_xyz

// Valid token, but not admin → 403
GET /api/admin/settings
Authorization: Bearer valid_user_token
// User is authenticated but not authorized
```

---

## Security Best Practices

### Authentication
1. **Always hash passwords** (bcrypt, argon2)
2. **Use HTTPS** (encrypt in transit)
3. **Implement rate limiting** (prevent brute force)
4. **Use MFA** (for sensitive operations)
5. **Token expiration** (short-lived tokens)
6. **Refresh tokens** (for long sessions)
7. **HttpOnly cookies** (prevent XSS)
8. **SameSite cookies** (prevent CSRF)

### Authorization
1. **Principle of least privilege** (minimal permissions)
2. **Default deny** (explicit allow required)
3. **Check on every request** (don't cache decisions)
4. **Validate on server** (never trust client)
5. **Audit logs** (track access attempts)

---

## Summary (Core Principles)

**Authentication = Identity verification ("Who are you?")**

**Methods:**
- Password
- Token (JWT, session)
- OAuth
- MFA
- Biometric
- API keys

**Authorization = Permission checking ("What can you do?")**

**Methods:**
- RBAC (roles)
- ABAC (attributes)
- ACL (per-resource)
- Permissions

**Key flow:**
```
Request
  ↓
Authenticate (verify identity)
  ↓ 401 if fails
  ✅ Identity confirmed
  ↓
Authorize (check permissions)
  ↓ 403 if no permission
  ✅ Permission granted
  ↓
Execute action
```

**Remember:**
- Authentication without authorization = "I know who you are, but you can't do anything"
- Authorization without authentication = impossible (need to know who first)
- Both required for secure systems

Want me to show you how to implement JWT authentication + RBAC authorization in a real backend?