# Lesson: Concept of Tokenization in Authentication

Tokens provide crucial access rights in web applications. Much like a boarding pass for a spaceship, tokens confirm your identity and privileges. They are essential for making web apps efficient and secure. Tokens can be compared to VIP passes at concerts; present it once and you're granted widespread access!

## Creating Tokens Manually

Sure thing! Manual token creation doesn't necessitate any third-party modules. We can use built-in JavaScript methods to construct tokens manually. We'll piece together random values to create unique token-like strings.

While these are not cryptographically secure tokens like our previous examples, they do give elementary understanding on how to create unique identifiers manually.

In [None]:
// We define a function to generate token
function generateToken(length) {
  let token = ''; // Initialize an empty string for the token
  // Define the set of possible characters in the token
  let charSet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

  // Loop once for each character in the token length
  for (let i = 0; i < length; i++) {
    // randomly choose an index from the character set
    let randomPoz = Math.floor(Math.random() * charSet.length);
    // append that character to our token string
    token += charSet.substring(randomPoz, randomPoz+1);
  }

  // return the generated token
  return token;
}

// Now, let's generate a 32-character long random string
console.log(generateToken(32)); // prints out a random 32-character long string

In this function, we create a token by choosing a random character from charSet for length times. The generated strings are likely to be unique, but unlike cryptographically-secure tokens, they have a non-zero chance of being guessed or duplicated through numerous attempts.

This is a basic demonstration of how tokens can be created, highlighting the concept and mechanics behind tokens. However, for actual token creation in secure applications, itâ€™s vital to use cryptographically secure methods. Continue your journey, explorer! Every step takes you closer to mastering Authentication and Authorization!


## Storing Tokens and Passing via Request Authorization Header

Upon generating a token, we store it client-side, typically in the localStorage of the browser:

In [None]:
let token = generateToken(32);
localStorage.setItem('authToken', token); // stores the generated token in localStorage as 'authToken'

Once the token is stored, we send it with each server request. As an illustration, we include it in the 'Authorization' header of our request using axios:

In [None]:
import axios from 'axios';

async function fetchData() {
  let token = localStorage.getItem('authToken');
  let response = await axios.get('/api/endpoint', {
    headers: { Authorization: 'Bearer ' + token }
  });
  console.log(response.data); // print response data
}

## Securing Future Trips: User Authentication for Subsequent Requests

The brilliance of tokenization goes beyond just one use. Once a token is created and stored, it isn't just used once and then discarded. It can be reused to confirm the user's identity in subsequent requests, like an all-access VIP badge. This is a huge part of the efficiency and security tokens bring to the table.

In real life, consider a prestigious gala event. When you arrive, you show your special VIP pass to the security at the entrance. They validate your passâ€”maybe by checking a list of VIP pass numbersâ€”and let you in. When you leave and come back later, you show the same pass. As long as it's valid, you're welcomed back into the event without needing to complete the full check-in process again.

Tokens work the same way in web applications. For each subsequent request after logging in, the client sends the token, not the user's credentials, to the server. The server checks if the token is valid (maybe it expired, or maybe it was revoked) and if it is, the server processes the request.

Let's look at an example of this process. Say we have a logged-in user who wants to update their profile on a social network site. Here's how it might look in code:

In [None]:
const axios = require('axios');

async function updateUserProfile(newProfileData) {
  // First, we retrieve the token from localStorage
  let token = localStorage.getItem('authToken');

  // Next, we create the header for our request
  let config = {
    headers: {
      Authorization: 'Bearer ' + token
    }
  };

  // Finally, we send the POST request to the server with our new profile data
  let response = await axios.put('/api/profile', newProfileData, config);
  
  // If the response is successful, we console the new data.
  if(response.status === 200) {
    console.log(response.data); // prints the updated user data
  } else {
    console.log('An error occurred while updating the profile!');
  }
}

In this example, we use the token stored in localStorage to authenticate the request to the server. We don't need to send the user's username and password again, just the token which we include in the 'Authorization' header. When the server receives this request, it checks that the token is valid and, if it is, updates the user's profile. Isn't it cool how secure yet efficient tokenization is? ðŸš€

## Journey on the Other Side: Server-side Authentication with Tokens

Great insight! To complete our journey, we need to look at how the server handles the token in the incoming requests.

The server, upon receiving the request, extracts the token from the 'Authorization' header. It then validates this token, confirming it was issued by the server and hasn't expired. Based on the result of the validation, the server either processes the request or returns an error response.

To showcase this workflow, let's consider a simple express app that uses a rudimentary method for validating tokens. In real-world applications, token validation would involve much more sophisticated methods.

In [None]:
let tokenStore = ['existing_token_1', 'existing_token_2']; // Here's an example of a rudimentary token store

// Here we define an endpoint to update the user profile
app.put('/api/profile', (req, res) => {
  // Extract the token from the request header
  let token = req.headers.authorization.split(' ')[1];

  if (!token) {
    return res.status(401).send('No token provided!');
  }

  if (!tokenStore.includes(token)) {
    return res.status(401).send('Invalid token!');
  }

  // If the token is valid, update the user profile
  // For simplicity, we're just logging the new profile data
  console.log(req.body);
  res.send('Profile successfully updated!');
});

In this code, we extract the token from the 'Authorization' header and check if it exists in our rudimentary token store. If the token is not in the store, we return a '401 Unauthorized' response. If the token is valid, we go on to update the profile. As you see, token validation is pivotal for the server to distinguish between authorized and unauthorized requests. Keep going, buddy! The stars of Authentication and Authorization are just around the corner! ðŸ’«

Now itâ€™s Your Turn: Lesson Summary and Next Steps

Great job! You now understand the importance of tokens, as well as how to create them manually, store them client-side, and pass them using axios. With the upcoming practice exercises, you will have the opportunity to further refine these skills. Get ready to excel in the cosmos of Authentication and Authorization!

## Exercises

Good job, Space Explorer! Your login system is up and running. Now, imagine you have successfully logged in and received a token. Can you run the code to simulate sending the token to check the status of our mission? Let's ensure that the mission status is accessible only to our logged-in users.

In [None]:
// App.js (React client) - final version
import axios from 'axios';
import { useState } from 'react';

export default function App() {
  const [loggedIn, setLoggedIn] = useState(false);
  const [token, setToken] = useState('');
  const [missionStatus, setMissionStatus] = useState('');

  const login = () => {
    let token = '12345'; // simplified token for practice purposes
    localStorage.setItem('authToken', token);
    setToken(token);
    setLoggedIn(true);
  };

  const checkMissionStatus = () => {
    let token = localStorage.getItem('authToken');
    setToken(token);
    axios.get('/api/mission-status', {
      headers: { Authorization: 'Bearer ' + token }
    }).then(response => {
      setMissionStatus(response.data.status);
    });
  };

  return (
    <div>
      <button onClick={login}>Log In for Mission</button>
      <button onClick={checkMissionStatus}>Check Mission Status</button>
      {loggedIn && <p>Logged in with token: {token}</p>}
      {missionStatus && <p>Mission Status: {missionStatus}</p>}
    </div>
  );
}

In [None]:
// index.js (Express server) - final version
const express = require('express');
const app = express();

app.get('/api/mission-status', (req, res) => {
  let token = req.headers.authorization.split(' ')[1];
  if (token === '12345') {
    res.json({ status: 'Mission ready to launch!' });
  } else {
    res.status(401).send('Mission access denied: Invalid token');
  }
});

app.listen(5000, () => console.log('Server running on port 5000...'));

Stellar Navigator, let's focus on the client-side of our space mission! Modify the existing React component so that it sends the authorization token correctly within the header. Remember, we need a 'Bearer ' prefix attached to the token.

In [None]:
//App.js (React client) - final version with Francis edits

import axios from 'axios';
import { useEffect, useState } from 'react';

export default function App() {
  const [missionStatus, setMissionStatus] = useState('');
  const [error, setError] = useState('');

  useEffect(() => {
    const token = '123ABC'; // This token is stored previously
    
    // TODO: Correctly set the Authorization header, with the 'Bearer ' prefix in the following GET request
    axios.get('/api/mission-control', {headers:{Authorization: 'Bearer ' + token}}).then(response => { // added  {headers:{Authorization: 'Bearer ' + token}}
      setMissionStatus('Mission status: ' + response.data.status);
    }).catch(error => {
      setError('Error fetching mission control data');
    });
  
  }, []);

  return (
    <div>
      <h1>Space mission dashboard</h1>
      {missionStatus && <p>{missionStatus}</p>}
      {error && <p>{error}</p>}
    </div>
  );
}

In [None]:
// index.js (Express server) - final version
const express = require('express');
const app = express();
app.use(express.json());

const mockMissionData = { id: "xyz", status: "All systems go!" };
const validTokens = ['123ABC']; // This should be a more secure token storage mechanism

app.get('/api/mission-control', (req, res) => {
  const token = req.headers.authorization?.split(' ')[1];
  
  if (!token || !validTokens.includes(token)) {
    return res.status(401).send('Unauthorized: Invalid token');
  }

  res.status(200).json(mockMissionData);
});

app.listen(5000, () => {
  console.log('Server running on port 5000...');
});

Stellar Navigator! You've been navigating the galaxy of authentication with great success. Your next mission is to debug the spaceship's control panel code. A distress signal was sent: "Unable to authenticate for status check!" Can you spot the error and ensure the spaceship is ready for its next voyage? Remember, the correct implementation involves axios and localStorage.

In [None]:
// index.js (Express server) - final version Francis edits
const express = require('express');
const cors = require('cors');

const app = express();
app.use(express.json());
app.use(cors()); // Enable CORS for all origins

let tokenStore = [];

// Can you spot the problem with our tokenization logic?
app.post('/api/login', (req, res) => {
  const token = 'simple_token_' + Math.random().toString(36).substr(2);
  tokenStore.push(token); // Francis added this line to store the generated token
  res.json({ authToken: token });
});



app.get('/api/check-spaceship', (req, res) => {
  const authHeader = req.headers.authorization;
  if (!authHeader) {
    return res.status(401).send('No token provided!');
  }

  const token = authHeader.split(' ')[1];
  if (!tokenStore.includes(token)) {
    return res.status(401).send('Invalid token!');
  }

  res.json({ status: 'Ready for exploration!' });
});

app.listen(5000, () => console.log('Server running on port 5000...'));

In [None]:
// App.js (React client) - final version
import { useState } from 'react';
import axios from 'axios';

export default function App() {
  const [token, setToken] = useState('');
  const [message, setMessage] = useState('');

  const login = async () => {
    try {
      const response = await axios.post('/api/login');
      const generatedToken = response.data.authToken;
      localStorage.setItem('authToken', generatedToken);
      setToken(generatedToken);
      setMessage('Logged in with token: ' + generatedToken);
    } catch (error) {
      setMessage('Login failed: ' + (error.response ? error.response.data : 'Server not reachable.'));
    }
  };

  const checkSpaceshipStatus = () => {
    const authToken = localStorage.getItem('authToken');
    axios.get('/api/check-spaceship', {
      headers: { Authorization: 'Bearer ' + authToken }
    }).then(response => {
      setMessage('Spaceship status: ' + response.data.status);
    }).catch(error => {
      setMessage('Error: ' + (error.response ? error.response.data : 'Server not reachable.'));
    });
  };

  return (
    <div>
      <button onClick={login}>Launch and Authenticate</button>
      <button onClick={checkSpaceshipStatus}>Check Spaceship Status</button>
      <p>{message}</p>
    </div>
  );
}

Galactic Pioneer, your space exploration mission control center requires a secure communication channel! It is time to create a login system and establish a method for securely fetching secret data using tokens. Follow the steps outlined in the comments to write the Node.js server from scratch. Remember, when space travelers log in, they must receive a token to access privileged information.

In [None]:
// index.js (Express server) - final version
const express = require('express');
const cors = require('cors');
const app = express();

app.use(cors());
app.use(express.json());

const PORT = 5000;
const tokenStore = ['secretToken1', 'secretToken2'];

// TODO: Set up your login route to send a token back to the client. Don't forget to push it to the token store
app.get('/api/login', (req, res) => {
  const token = 'simple_token_' + Math.random().toString(36).substr(2);
  tokenStore.push(token); // Francis added this line to store the generated token
  res.json({ authToken: token });
});

// TODO: Set up the secret-data route to validate the token and send secret data
app.get('/api/secret-data', (req, res) => {
  const authHeader = req.headers.authorization;
  if (!authHeader) {
    return res.status(401).send('No token provided!');
  }

  const token = authHeader.split(' ')[1];
  if (!tokenStore.includes(token)) {
    return res.status(401).send('Invalid token!');
  }

  res.json({ status: 'Ready for exploration!' });
});


app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}...`);
});

In [None]:
// App.js (React client) - final version
import axios from 'axios';
import { useState } from 'react';

export default function App() {
  const [token, setToken] = useState('');
  const [message, setMessage] = useState('');

  const handleLogin = async () => {
    const tokenFromServer = await axios.get('/api/login'); // Simulate server token generation
    localStorage.setItem('authToken', tokenFromServer.data);
    setToken(tokenFromServer.data);
    setMessage('Logged in successfully!');
  };

  const fetchSecretData = async () => {
    try {
      const response = await axios.get('/api/secret-data', {
        headers: { Authorization: `Bearer ${token}` }
      });
      setMessage(`Secret data: ${response.data}`);
    } catch (error) {
      setMessage('Error fetching secret data!');
    }
  };

  return (
    <div>
      <button onClick={handleLogin}>Login</button>
      <button onClick={fetchSecretData}>Get Secret Data</button>
      <p>{message}</p>
    </div>
  );
}

Space Voyager, let's put your skills to the test! Set up the logic in the server code to validate a token sent from our mission control app. Be on the lookout for any unauthorized intruders!

In [None]:
// App.js (React client) - final version
import axios from 'axios';
import { useEffect, useState } from 'react';

localStorage.setItem('authToken', 'mission-token-123'); // Setting the token here manually to mock the logic

export default function App() {
  const [tokenStatus, setTokenStatus] = useState('');

  useEffect(() => {
    const token = localStorage.getItem('authToken');
    axios.get('/api/check-token', {
      headers: { Authorization: 'Bearer ' + token }
      // TODO: Add an authorization header to check if the token is valid
      
    }).then(response => {
      setTokenStatus('Token is valid!');
    }).catch(error => {
      setTokenStatus('Token is not valid!');
    });
  }, []);

  return (
    <div>
      <h1>Welcome to the Mission Control Center!</h1>
      <p>{tokenStatus}</p>
    </div>
  );
}

In [None]:
// index.js (Express server) - final version
const express = require('express');
const app = express();

const port = 5000;
const validTokens = ['mission-token-123']; // In real scenario, this will be more secure and dynamic

app.get('/api/check-token', (req, res) => {
  // TODO: Validate the token from the request and send a response
  let token = req.headers.authorization.split(' ')[1];
  if (validTokens.includes(token)) {
    res.json({ status: 'Mission ready to launch!' });
  } else {
    res.status(401).send('Mission access denied: Invalid token');
  }
  
});

app.listen(port, () => console.log(`Server running on port ${port}...`));