Authorization, Authentication and Routing endpoints

Basic Definitions:

Let's start this off with basic definitions

Authorization: is when determine if the authenticated user has the privileges to access a certain resource or API.

Authentication: is when we verify the user's identity.

Authentication

Workflow

Naturally, authentication precedes authorization, the flow usually goes like this :

Browser ----------[Username & Password]---------> Server
Here we assume that the user registered and is now attempting to log in by sending his credentials, it can be a phone number and a password, an email and a password .. etc.
Browser ----------------------------------------------------- Server [ authenticating ... ]
Here, we the server performs authentication by comparing the username and password to the stored credentials
Browser <----------------[Access Token]--------------- Server
After successfully authenticating the client, the server returns an access token to the client(Usually JWT)
Browser ----[Request details & Access Token]--> Server
The client will embed this token in each subsequent request in the authorization header like so: Authorization: Bearer ${token}

Authorization - Multiple types of users and Privileges

In many cases, there is more than one type of user in the application with different access privileges. a part of our API might look somewhat like this:

	"api" { 
		"admin" {
			require(Privileges.Administrator) // here we guard the route with admin privilege
			"staff_info" {
              	..
          	}
        }
        
        "normal_user" {
          	require(Privileges.Administrator, Privileges.User) 
            // we guard the route with user privieleges and admin privileges 
			// "other" type of user cannot access this route
         	"profile_info" {
             	..
            }
        }
        
        "other_user" {
        	require(Privileges.Administrator, Privileges.OtherUserType) // normal user cannot access this
            "info" {
            	..
            }
        }
        
    	"file" {
          	require(Privileges.JWTAuthenticated) // any authenticated user can upload a file
          	"upload" {
				..
            }
        }
	}

What's in the Token?

What we care about in the JWT is the body, which usually contains:

a user identifier
user privileges ( in the case of the system having multiple user types )
other information

Some sources discourage putting sensitive information in the token as it can be read by anyone. If security is a concern, there are other options you can go with i.e using opaque tokens, phantom tokens .. etc.

Overview

Basic UI Elements

Routing

Controllers and CRUDs

DAOs and Repositories

Components and view models

Databases and Migrations

Prebuild UI Elements and Utilities

Show Errors

Network Calls and DTOs

Authorization, Authentication and Routing endpoints

Events, Data and State flow

E2E Testing

Detekt

System Boundaries Driven Development

Authorization, Authentication and Routing endpoints

Basic Definitions:

Authentication

Workflow

Browser ----------[Username & Password]---------> Server

Browser ----------------------------------------------------- Server [ authenticating ... ]

Browser <----------------[Access Token]--------------- Server

Browser ----[Request details & Access Token]--> Server

Authorization - Multiple types of users and Privileges

What's in the Token?

No Comments