# Lesson: Navigating Authentication and Authorization: Secure Basics with Node.js and React

### Overview and Goals

Welcome, seeker of code wisdom! In today's lesson, we will unveil the secrets of authentication and authorization. We will elucidate these security protocols, construct a basic authentication system with Node, and guide you in creating an engaging login page using React.

### Basics of Authentication and Authorization

Join us as we unravel the intricacies of authentication and authorization. Consider them as sentinels of a fortress—authentication verifies the user's identity, it's akin to a sentry poised with the question: "Who goes there?" Conversely, authorization, acting much like a gatekeeper, determines: "What can you do here?" These security precautions cast their protective aura over every virtual transaction, ranging from accessing a library to operating a banking application.

### Importance of Authentication and Authorization

To ensure the safety of the data realm, authentication and authorization combine their strengths to form an impregnable fortress. Imagine a banking system where anyone could waltz right in and claim they are the king! It's these qualitative security layers that prevent such chaos. The system, acting much like a bank sentry, authenticates users by verifying their identity, then authorizes services according to the user's account type, ensuring only rightful access to resources.

### Creating Basic Authentication in a Node Server

The magic of Node.js, a humble server-side scripting JavaScript runtime, awaits us! By harnessing the power of JavaScript, we will conjure up a basic authentication system. Our hard-coded user data will manifest, similar to a parchment holding a simple spell!


In [None]:
// Import libraries and prepare for incantations
const express = require("express");
const app = express();
app.use(express.json());

// Hardcoded user in our enchanted script
const user = {id: "1", username: "admin", password: "admin"};

// The spell, the sentry, and the gatekeeper
app.post("/login", (req, res) => {
  const {username, password} = req.body;
  
  // A simple incantation of authentication
  if (username === user.username && password === user.password) {
    res.status(200).send("Login successful");
  } else {
    // Oops! The spell failed
    res.status(401).send("Invalid username or password");
  }
});

// Invoke the server
app.listen(3000, () => console.log("Server is humming..."));

// In the code spell above, our server eagerly awaits a POST bearing secret passcodes—a login and password. 
// Upon successful authentication, the server responds with "Login successful". Congratulations, we have built a foundation!

### Creating the User Login Page in React

Let’s fashion a straightforward login form in React as the main client-side component that connects us to the authentication gateways of the backend.

In [None]:
function LoginForm() {
  const [details, setDetails] = useState({email:"", password:""}); // The humble beginnings of form data

  // Behold the birth of the login form
  return (
    <form onSubmit={submitHandler}>
    <div className="form-group">
      <label htmlFor="email">Email:</label>
      <input type="email" name="email" id="email" onChange={e => setDetails({...details, email: e.target.value})} value={details.email} />
    </div>
    <div className="form-group">
      <label htmlFor="password">Password:</label>
      <input type="password" name="password" id="password" onChange={e => setDetails({...details, password: e.target.value})} value={details.password} />
    </div>
    <input type="submit" value="LOGIN" />
    </form>
  );
}

// For a better user experience, we should include user-friendly prompts and informative validation error messages in both forms. 
// But for now, let's keep things simple as this is an introductory lesson.

### Sending POST Requests to Login Route

After crafting our login form, we need to handle form submissions. We want to send a POST request with our form data to the server when a user clicks the submit button. But how do we make this happen?

We're going to make our submitHandler function more complex, by initiating a POST request to our previously defined login endpoint at the server. To help us with this, we'll use Fetch API — a built-in JavaScript library for making HTTP requests.

Here's the updated LoginForm with the fetch logic included:

In [None]:
function LoginForm() {
  const [details, setDetails] = useState({username:"", password:""});

  const submitHandler = e => {
    e.preventDefault(); // Prevent page refresh

    fetch('http://localhost:3000/login', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify(details),
    })
    .then(response => response.text())
    .then(data => alert(data))
    .catch((error) => {
      console.error('Error:', error);
    });
  }

  // Rest of the LoginForm component...
}

In the submitHandler function, we're using the fetch() function to send a POST request to the login endpoint. We've set the method to 'POST' to indicate the type of HTTP request, and included headers to define the format of the request body.

The request body (body) is where we include our form data (details), which is stringified before sending. This way, we can smoothly send our email and password data to the server for authentication!

The fetch function returns a Promise that resolves to the Response to that request. To handle the response and convert it to text, we call response.text().

With this, you have successfully linked your login form with your backend server! The data entered in the form will now be sent to the server for authentication when the form is submitted. It's just like handing your ticket to the museum staff to get access to the fabulous exhibits inside!

### Lesson Summary and Practice

Bravo! You've embarked on the authentication and authorization journey, erected a basic authentication system in Node.js, and traversed time to shape a login form in React! These fundamental elements, my valiant learners, serve as the foundation of the grand palace of knowledge awaiting your exploration. Ahead lie practice exercises to manifest your theoretical knowledge into hands-on mastery. Seize this opportunity to delve deeper into these concepts, tie them to concrete tasks, and watch the fundamental aspects bloom into powerful tools of application security. Forward, to the further heights and deeper valleys of the coding realm! Happy coding!

### Exercises:

Brace yourself for a mission in the Banking System galaxy! This code demonstrates how a user is authenticated in a simple banking system. It utilizes JavaScript's .find() method to locate user credentials on the server and the fetch API for communication between the front end and the back end. Click Run to see how the seamless login process unfolds! Try the following user credentials: username=user1 and password=pass1.

In [None]:
// index.js (Express server)
const express = require("express");
const cors = require("cors");

const app = express();
app.use(express.json());
app.use(cors());

const users = [{ id: "1", username: "user1", password: "pass1" }];

app.post("/api/login", (req, res) => {
  const { username, password } = req.body;
  const foundUser = users.find(user => user.username === username && user.password === password);
  
  if (foundUser) {
    res.status(200).send("Welcome to the Banking System!");
  } else {
    res.status(401).send("Invalid credentials. Please try again.");
  }
});

app.listen(5000, () => console.log("Server running on port 5000"));

In [None]:
// App.js
import { useState } from 'react';

export default function App() {
  const [username, setUsername] = useState('');
  const [password, setPassword] = useState('');
  const [message, setMessage] = useState('');

  const handleLogin = () => {
    fetch('/api/login', { 
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ username, password })
    })
    .then(response => response.text())
    .then(message => setMessage(message))
    .catch(error => setMessage('Error: ' + error));
  }

  return (
    <div>
      <input type="text" placeholder="Username" value={username} onChange={(e) => setUsername(e.target.value)}/>
      <input type="password" placeholder="Password" value={password} onChange={(e) => setPassword(e.target.value)}/>
      <button onClick={handleLogin}>Login</button>
      {message && <p>{message}</p>}
    </div>
  );
}

Great job on making the server talk, Space Voyager! Now let's further personalize our Banking System's security message. Modify the response in server/index.js to include the username in the welcome message, like so: "Welcome, [username], to our secure Banking System!"

In [None]:
// index.js (Express server)
const express = require("express");
const cors = require('cors');
const app = express();
app.use(express.json());
app.use(cors());

const users = [
  { id: '2', username: 'guest', password: 'guest123' }
];

app.post("/api/login", (req, res) => {
  const { username, password } = req.body;
  const user = users.find(u => u.username === username && u.password === password);
  if (user) {
    res.status(200).send(`Welcome, ${req.body.username}, to our secure Banking System!`);  // TODO: Modify this line to personalize the welcome message.
  } else {
    res.status(401).send("Access Denied: Incorrect Username or Password");
  }
});

app.listen(5000, () => console.log("Server is humming on port 5000..."));

In [None]:
// App.js
import { useState } from 'react';
import axios from 'axios';

function App() {
  const [credentials, setCredentials] = useState({username: 'guest', password: 'guest123'});
  const [message, setMessage] = useState(''); // State to hold the message

  const handleLogin = () => {
    axios.post('/api/login', credentials).then(response => {
      setMessage(response.data); // Set the message state with the response data
    }).catch(error => {
      setMessage("An error occurred during login."); // Handle any errors
    });
  }

  return (
    <div>
      <button onClick={handleLogin}>Login as Guest</button>
      {message && <p>{message}</p>} {/* Display the message if it exists */}
    </div>
  );
}

export default App;

Stellar Navigator, we have encountered a glitch in our banking system's security feature – it allows users to log in even when the credentials are incorrect.

Your mission is to debug the case and fix the login logic in the server code.

Feel free to use the credentials username: starSeeker and password: treasure to test the UI preview's login feature manually.

In [None]:
// index.js (Express server)
const express = require('express');
const cors = require('cors');
const app = express();

app.use(express.json());
app.use(cors()); // Enable CORS for all routes

const user = { username: "starSeeker", password: "treasure" }; // Banking system admin

app.post('/api/login', (req, res) => {
  const { username, password } = req.body;
  if (username === user.username && password === user.password) {
    res.status(200).send("Welcome to the Banking System!");
  } else {
    res.status(401).send("Access Denied: Incorrect credentials");
  }
});

app.listen(5000, () => console.log("Server is running on port 5000"));

In [None]:
import { useState } from 'react';
import axios from 'axios';

function App() {
  const [credentials, setCredentials] = useState({ username: "", password: "" });
  const [message, setMessage] = useState("");

  const login = () => {
    axios.post('/api/login', credentials).then(response => {
      setMessage("Login successful!");
    }).catch(error => {
      setMessage("Login failed!");
    });
  };

  return (
    <div>
      <input type="text" placeholder="Your Username" onChange={e => setCredentials({...credentials, username: e.target.value })} />
      <input type="password" placeholder="Your password" onChange={e => setCredentials({...credentials, password: e.target.value })} />
      <button onClick={login}>Login</button>
      {message && <p>{message}</p>}
    </div>
  );
}

export default App;

Great job so far, Space Voyager! Your next mission is to add the missing line of code to our Banking System's Node.js server. Equip your server's /api/login route to check if the stars align with the provided credentials. Keep it concise; no rocket science is needed — just a line or two!

In [None]:
// App.js

import { useState } from 'react';
import axios from 'axios';

function App() {
  const [email, setEmail] = useState("");
  const [password, setPassword] = useState("");
  const [message, setMessage] = useState("");

  const submitLogin = () => {
    axios.post('/api/login', { username: email, password: password })
      .then((response) => {
        setMessage(response.data.message);
      })
      .catch((error) => {
        setMessage("An error occurred while logging in.");
        console.error("Login error:", error);
      });
  };

  return (
    <div>
      <input type="email" value={email} onChange={e => setEmail(e.target.value)} placeholder="Enter your email" />
      <input type="password" value={password} onChange={e => setPassword(e.target.value)} placeholder="Enter your password" />
      <button onClick={submitLogin}>Login</button>
      {message && <p>{message}</p>}
    </div>
  );
}

export default App;

In [None]:
// index.js (Express server)

const express = require("express");
const cors = require("cors");

const app = express();
app.use(express.json());
app.use(cors());

const hardcodedUsers = [
  { id: "1", username: "customer@bank.com", password: "12345" },
  { id: "2", username: "employee@bank.com", password: "password" },
];

// TODO: Complete the /api/login route to check the username and password and respond with message "Welcome to the Banking System!" and status code 200 if there is a user with given credentials, otherwise respond with "Invalid credentials" and error status 401.
app.post("/api/login", (req, res) => {
  const { username, password} = req.body;
  const user = hardcodedUsers.find(u => u.username === username && u.password === password);
  if (user) {
    res.status(200).send("Welcome to the Banking System!");
  } else{
    res.status(401).send("Invalid credentials");
  }
});

app.listen(5000, () => console.log("Banking system server is humming on port 5000..."));

Great progress, Space Voyager! It's now time to write a server that verifies login details to work with the provided front-end to collect user input. For simplicity, focus on the login logic.

In [None]:
// App.js
import { useState } from 'react';

function App() {
  const [details, setDetails] = useState({username:"", password:""});
  const [message, setMessage] = useState("");

  const login = () => {
    fetch('/api/login', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(details)
    }).then(response => {
      if (response.ok) {
        return response.text();
      } else {
        throw new Error('Failed to login');
      }
    }).then(message => {
      setMessage(message);
    }).catch(error => {
      setMessage(error.message);
    });
  }

  return (
    <>
      <input type="text" placeholder="Username" onChange={(e) => setDetails({...details, username: e.target.value})} />
      <input type="password" placeholder="Password" onChange={(e) => setDetails({...details, password: e.target.value})} />
      <button onClick={login}>Login</button>
      <p>{message}</p>
    </>
  );
}

export default App;

In [None]:
// index.js (Express server)
const express = require('express');
const app = express();

app.use(express.json());

// TODO: Create an object representing a user with a username and password
const hardcodedUsers = [
  { id: "1", username: "customer@bank.com", password: "12345" },
  { id: "2", username: "employee@bank.com", password: "password" },
];

// TODO: Set up a POST route '/api/login' that compares the incoming username and password with the user object
// On a username and password match, send back a welcome message; otherwise, send a 401 status with an error message
app.post("/api/login", (req, res) => {
  const { username, password} = req.body;
  const user = hardcodedUsers.find(u => u.username === username && u.password === password);
  if (user) {
    res.status(200).send("Welcome to the Banking System!");
  } else{
    res.status(401).send("Invalid credentials");
  }
});
// TODO: Make your server listen on port 5000 and log a message when it's running

app.listen(5000, () => console.log("Banking system server is humming on port 5000..."));