Introduction JSON Web Tokens (JWTs) play a crucial role in web application security. In this blog, we walkthrough the concept of JWT, focusing on the different types of claims, the structure of a JWT, and the algorithms used in signatures, and finally I will implement JWT authentication from scratch in Node.js and Express.js. This is my 4th article in Auth101! It’s 2024 now! Looking forward to a wonderful year filled with cool tech updates, new tricks in cyber security, and a bunch of fun coding adventures. I can’t wait to dive into more authentication topics with you all 😃 Understanding JWT JSON Web Tokens (JWTs) originated as a compact and self-contained way for securely transmitting information between parties as a JSON object. Defined in RFC 7519, JWTs have become a widely adopted standard in the field of web security for their simplicity and versatility. A JWT is a string comprising three parts separated by dots (.): Base64Url encoded header, Base64Url encoded payload, and signature. It typically looks like xxxxx.yyyyy.zzzzz. Let’s deep dive into the three parts: Header, Payload, and Signature. Header The header typically consists of the token type and the signing algorithm, such as HMAC SHA256 or RSA. For example:{ "alg": "HS256", "typ": "JWT" } Payload The payload contains claims, which are statements about an entity and additional metadata. Claims are categorized into registered, public, and private claims. The later two are for custom claims. Public claims are collision-resistant while private claims are subject to possible collisions. In a JWT, a claim appears as a name/value pair where the name is always a string…

Introduction In this blog post, we will dive into HTTP Basic Authentication, a method rooted in the principles outlined in RFC 7617. It’s worth noting that, the RFC specification defines the use of the “Authorization” header in HTTP requests to transmit the credentials. The credentials are typically sent as a Base64-encoded string of the form username:password. It also describes how servers should respond with appropriate status codes (e.g., 401 Unauthorized) when authentication fails. Step 1: Setting Up the Node.js and TypeScript Environment Please refer to the steps explained in our previous blog post Password Authentication In Node.Js: A Step-By-Step Guide at Step 1: Setting Up the Node.js and TypeScript Environment. Step 2: Creating the Server usersData.ts In this file, we define a simulated database of users with their hashed passwords using bcrypt. Each user has a username and a password field. This file acts as our database for the sake of this example. The usage of bcrypt also has been explained in Password Authentication In Node.Js: A Step-By-Step Guide already. interface User { username: string; password: string; } const users: User[] = []; export default users; basicAuthMiddleware.ts This file contains the basic authentication middleware. The middleware is responsible for authenticating users based on the credentials provided in the Authorization header. It uses bcrypt to compare the provided password with the hashed password stored in the usersData.ts file. import { Request, Response, NextFunction } from 'express'; import { Buffer } from 'buffer'; import bcrypt from 'bcryptjs'; interface User { username: string; password: string; } const basicAuthMiddleware = (users: User[]) => async (req: Request, res: Response, next: NextFunction) => { try { const authHeader…

Introduction Password-based authentication remains one of the most common and widely used methods to verify user identity in various online systems. It involves users providing a unique combination of a username and password to gain access to their accounts. Despite its prevalence, password-based authentication comes with security challenges, as weak or compromised passwords can lead to unauthorized access and data breaches. In this blog, I will guide you exploring password-based authentication from an easy to medium level, implementing password hashing in a Node.js and TypeScript environment. By the end of this hands-on tutorial, you will have a better understanding of how Password-based authentication works in your applications. Step 1: Setting Up the Node.js and TypeScript Environment To get started, ensure you have Node.js installed on your machine. Create a new project folder and initialize it with a package.json file. Here is the steps to show what I’ve done on Mac: brew install npm httpie mkdir password-auth cd password-auth npm init -y npm install -g ts-node npm install body-parser bcryptjs express --save npm install @types/bcryptjs @types/express @types/body-parser --save Setting up the programming environment is no doubt crucial, but let’s be honest, it can be a bit daunting. In my tutorials, I will try to make sure not to leave you hanging. I love providing comprehensive explanations, even for the simple tasks or commands. Let’s make this setup process a breeze together! I genuinely hope you find it helpful and that it keeps you smoothly sailing through the tutorial 🤓 Let’s walk through above commands. ▹ 1. brew is the package manager for macOS…

Introduction In the realm of information technology security, authentication plays a vital role in safeguarding sensitive data and ensuring the integrity of systems. Authentication serves as the first line of defense against unauthorized access, providing a means to verify the identity of users or entities attempting to access a system or resource. The Mechanisms and Factors of Authentication At its core, authentication is the process of confirming the claimed identity of an individual, device, or application. It establishes trust by validating that the entity requesting access is who they claim to be. Without effective authentication measures in place, sensitive information and valuable resources become vulnerable to unauthorized individuals or malicious entities. Various factors are used in authentication to establish identity and grant access. The most common authentication factors include something the user knows (such as a password or PIN), something the user has (like a physical token or a smartphone), or something the user is (biometric data, such as fingerprints or facial features). These factors can be combined in different ways to create stronger authentication mechanisms. Authentication protocols and methods are employed to facilitate the verification process. These protocols define the communication standards and procedures necessary to confirm the authenticity of the credentials presented by users or devices. Examples of authentication protocols include the traditional username/password combination, public key infrastructure (PKI) certificates, and more advanced methods like OAuth and OpenID Connect. Effective authentication is crucial in protecting against unauthorized access, data breaches, and other security threats. However, it is essential to strike a balance between security and usability. Organizations must…