Authentication and authorization are fundamental parts of security in any web application, including APIs developed in NodeJS. Authentication is the process of verifying a user's identity, while authorization is the process of verifying what the authenticated user is allowed to do. This chapter will focus on how to implement these two critical aspects in your NodeJS API, with special emphasis on secure password storage.
To begin with, it is important to understand that storing passwords in clear text in your database is an extremely insecure practice. If an attacker manages to access your database, he will have access to all of your users' passwords. To avoid this, it is necessary to encrypt the passwords before storing them. The most common way to do this is through the use of a process called 'hashing'.
Hashing is a process that transforms a set of data into a fixed-length string, which is assumed to be unique for each set of input data. When a user creates an account or changes their password, you must create a hash of the password and store that hash in the database. When the user attempts to log in, you create a hash of the given password and compare it to the stored hash. If they match, the password is correct.
In NodeJS, there are several libraries you can use to create password hashes, such as bcrypt, scrypt, and Argon2. Bcrypt is one of the most popular, due to its ease of use and proven security. To use bcrypt, you first need to install it in your project with the 'npm install bcrypt' command. After that, you can use the 'bcrypt.hash' function to hash a password.
In addition to hashing, another common practice is to add a salt to the password before creating the hash. A 'salt' is a random string that is added to the password to prevent 'rainbow table' attacks. A 'rainbow table' is a precomputed table of hashes for a large number of possible passwords, which an attacker can use to quickly discover the original password from the hash. By adding a unique 'salt' to each password, you render the use of 'rainbow tables' ineffective.
Bcrypt makes it easy to add a 'salt' to your passwords. When you call the 'bcrypt.hash' function, you can pass a second argument which is the number of rounds bcrypt should use to generate the 'salt'. This number is a trade-off between security and performance: a higher number will make the salt more secure, but it will also take longer to generate.
Now that you know how to securely store passwords, let's talk about authentication and authorization. Authentication in NodeJS APIs is usually done through JWT tokens (JSON Web Token). When a user logs in, the API generates a JWT token that includes the user's identity and possibly other information. This token is then sent back to the client, which must include it in all subsequent API requests.
Authorization is the process of verifying that the authenticated user has permission to perform the requested action. This is usually done through a system of 'roles' or 'permissions'. For example, you can have user and administrator roles, where the administrator has permission to do things that the user doesn't.
In summary, authentication and authorization are essential aspects of security in NodeJS APIs. It is important to store passwords securely through the use of hashing and salting, and to use JWT tokens for authentication. Authorization must be implemented through a system of 'roles' or 'permissions'.
