Skip to content

Instantly share code, notes, and snippets.

@MinimumViablePerson

MinimumViablePerson/auth.md

Last active March 15, 2022 14:59
Show Gist options
  • Save MinimumViablePerson/945ca46ef11c6192d05876f955c8f1bd to your computer and use it in GitHub Desktop.
Save MinimumViablePerson/945ca46ef11c6192d05876f955c8f1bd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
auth.md

Auth - In a nutshell

Contents

Dotenv

A useful library to create and read environment variables.

Why?

Store/get information privately from a machine, without pushing it to Github.

Installing

npm i dotenv

Working with Dotenv

// this loads all variables created in the .env file
import 'dotenv/config'

// We can then access any variable with:
process.env.MY_VARIABLE_NAME

Bcrypt

Description

Library that helps us create a hash or a password, which is garbage code that cannot be easily decoded

Why?

We do not want to store plain text passwords from our users directly in our DB, because then anybody with access to our DB would be able to see them. Storing this garbage code, we can let bcrypt compare the password the user enters when they sign in, with the password they created when they signed up, and can verify they are who they say they are without having to know their actual password.

Installing

npm i bcryptjs @types/bcryptjs

Working with Bcrypt

import bcrypt from 'bcryptjs'

// create a hash
const hash = bcrypt.hashSync(password, 8)

// check if a password matches a hash
const passwordMatches = bcrypt.compareSync(password, user.password)

JWT

Description

A library that generates a token based on some data given and a secret. It can then verify that a token has a valid signature, and decode its data.

Why?

This token is a useful piece of information we can store in the browser. Sending this to our server lets our server know that we are holding a token issued by the server, and it can therefore trust we are who we say we are.

Installing

npm i jsonwebtoken @types/jsonwebtoken

Working with JWT

import jwt from 'jsonwebtoken'

// create a token
const token = jwt.sign({ id: 3 }, process.env.MY_SECRET, { expiresIn: '3days' })

// verify and decode a token
// once this is done, we can trust this was a token issued by our server
// we also have the user's id and can find them on our DB
const decodedData = jwt.verify(token, process.env.MY_SECRET)

Using a token

Once your client has received a token you can:

  • store it in localStorage so you don't lose it on refresh
  • send it over with every request you make to the server, so they know it's you

Storing the token in localStorage

localStorage.token = tokenGoesHere

// alternative syntax
localStorage.setItem('token', tokenGoesHere)

Getting a token from localStorage

localStorage.token

// alternative syntax
localStorage.getItem('token')

Deleting a token from localStorage

localStorage.removeItem('token')

Sending a token in the headers

fetch(someUrl, {
  headers: {
    Authorization: insertYourTokenHere 
  }
})

Helpful Endpoints

Create a new account

  • Request: POST /sign-up { email, password }
  • Response: { user, token }

Sign in

  • Request: POST /sign-in { email, password }
  • Response: { user, token }

Validate user

  • Request: GET /validate
  • Headers { Authorization: token }
  • Response: { user }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment