Skip to content
Node2Know

Introduction to Authentication

ID Will Be Checked at the Door

Section titled “ID Will Be Checked at the Door”

At its core, a web application is just a server handing out resources and data to anyone who asks for them. By default, if someone knows the exact URL, they can ask the server for anything it has.

Imagine building a stunning gallery, taking the time to curate every exhibit, and then leaving the back loading-dock door wide open with a giant neon sign reading: “Management Office – Please feel free to re-arrange the exhibits.” That’s fine if it’s an empty warehouse, but real applications need both identity and access control.

In this chapter, we are going completely focus on authentication (verifying who you are). We cannot begin to enforce authorization (verifying what you’re allowed to do) until we have definitively established the identity of the person knocking at the door. We’ll cover authorization in the next module.

For now, we’ll use Passport.js as our bouncer, implementing a Local Strategy (using good old-fashioned email and password) paired with server-side sessions to keep you comfortably logged in between page loads.

Neo-Retro isometric conceptual diagram illustrating Authentication vs. Authorization

Fig 1: Authentication (ID Scanner) vs. Authorization (VIP List)

T.A. Watts Note: Before we dive deep into the code, we need to sort out exactly how a stateless protocol like HTTP manages to remember that you’re securely logged in.

Learning Goals

Section titled “Learning Goals”

By the end of this chapter, you should be perfectly capable of:

  • Explaining the critical difference between authentication and authorization—and understanding why mixing them up is a recipe for disaster.
  • Describing the inner workings of session-based auth within an Express application.
  • Grasping exactly what Passport.js does (and, more importantly, what it doesn’t do for you).
  • Storing user passwords safely and securely using hashing + salting (because storing them in plain text is a fast track to ruin).
  • Putting up velvet ropes to protect sensitive application routes strictly behind an authentication check.

Extra Bits & Bytes

Section titled “Extra Bits & Bytes”

Starting point repo (continued from File Uploads repo)

⏭ Next: Authentication vs Authorization

Section titled “⏭ Next: Authentication vs Authorization”

We understand why we need doors. Now let’s learn how to check IDs versus checking VIP passes.