Auth and Security Discussion questions

auth.md

Auth and Security Discussion

Please go through the points below and answer questions in the comments and discuss them with your mates.

• What are the benefits of registration and signing in on GitHub?
• What is the difference between authentication and authorization?
• How can we prevent a request from being fulfilled? Like trying to access a private GitHub repo of someone else?
• After the user logs in using the backend end-point we create, how can we can keep that user logged in all the time without asking them to login again each time they visit the website or send a request that require authentication?
• What is base64 encoding?
• What are salt rounds? how does it work?
• What is Caesar Cipher? How only the communicating sides knows how to decrypt the message?

Muhammed Şihebi, Hala Alkhellow, Amjad Alkhatib

https://docs.google.com/document/d/1cU8WzR7CdMh1LbD0UWRmTwqfPsR8xcZiWlOymELNxNU/edit

Noor Awied, Ezgi Okur, Mohammad Sheikh Ibrahim

1- What are the benefits of registration and signing in on GitHub?

You can upload your projects to share with others.
You can connect with others - follow your teammates or users whom you like their work.
You can use forking to copy someone's work and work on it.
You can watch others' codes and the development of it.
You can use like to see the projects or posts later.
You can reach your projects from multiple devices.
You can save your progression and keep track of your project and continue working later.
2- What is the difference between authentication and authorization?

Authentication:
The process of verifying the identity of the person making the request. it is done using passwords and pins and other data provided by the user. authentication is one of the first most important steps for managing what a user can access.
rely on information like : what you know: ex password, what you possess: ex token , what you are: ex biometrics

Authorization:
determining what files, data,...etc the user can access in an application.it is done by certain permissions and settings that are set by the application developers.Authorization cannot be done without authentication so it’s the step after authenticating the user.
Most popular techniques: Role-based authorization: by the roles defined by the organization for your authenticated account, Attribute-based authorization: bu following a series of certain attributes

3- How can we prevent a request from being fulfilled? Like trying to access a private GitHub repo of someone else?

by setting up authorization process in the api, we could put access management policies

4- After the user logs in using the backend end-point we create, how can we can keep that user logged in all the time without asking them to login again each time they visit the website or send a request that require authentication?

use either JSON Web Tokens (JWTs) or sessions to keep track of user login, because When we browse the web we use HTTP, which is a stateless protocol. So, the only way to remember the states of our application is using either sessions or tokens.

5- What is base64 encoding?

The base64 is a binary to a text encoding scheme that represents binary data in an ASCII string format. It is designed to carry data stored in binary format across the channels. It helps your data to end up to the other side safely without any corruption. It prevents these types of situations like -some protocols interpret your binary data as control characters (like a modem), or your binary data could be screwed up because the underlying protocol might think that you've entered a special character combination (like how FTP translates line endings). It takes any form of data and transforms it into a long string of plain text. base64 uses only 6-bits(2⁶ = 64 characters) to ensure the printable data is human readable.

6- What are salt rounds? how does it work?

Bcypt is a password hashing function that allows building a password security platform that can evolve alongside hardware technology.It uses the expensive key setup phase of the Blowfish cipher.
cryptographic salt is made up of random bits added to each password instance before its hashing. Salts create unique passwords even in the instance of two users choosing the same passwords.The salt is usually included in the resulting hash-string in readable form. So with storing the hash-string you also store the salt.
A salt round means the cost factor. The cost factor controls how much time is needed to calculate a single BCrypt hash.
When BCrypt was first published, in 1999, they listed their implementation's default cost factors:
normal user: 6
super user: 8
A bcrypt cost of 6 means 64 rounds (26 = 64).
Every BCrypt implementation uses 10 as the default cost.

7- What is Caesar Cipher? How only the communicating sides knows how to decrypt the message?

a Caesar cipher, also known as Caesar's cipher, the shift cipher, Caesar's code or Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a left shift of 3, D would be replaced by A, E would become B, and so on.

Sara, Emine, Huzeyfe

1. What are the benefits of registration and signing in on GitHub?
   Github has different types of accounts, There are three types of accounts on GitHub.
   Personal accounts, Organization accounts, Enterprise accounts

Every person who uses GitHub signs into a personal account. An organization account enhances collaboration between multiple personal accounts, and an enterprise account allows central management of multiple organizations

As a student, you can apply for the GitHub Student Developer Pack, which includes offers and benefits from GitHub partners.

Benefits of using Github;
1. It makes it easy to contribute to your open source projects
To be honest, nearly every open-source project uses GitHub to manage its project. Using GitHub is free if your project is open source and includes a wiki and issue tracker that makes it easy to include more in-depth documentation and get feedback about your project. If you want to contribute, you just fork a project, make your changes and then send them a pull request using GitHub web interface.
2. Documentation
By using GitHub, you make it easier to get excellent documentation. Their help section and guides have articles for nearly any topic related to git that you can think of.
3. Showcase your work
Are you a developer who wishes to attract recruiters? GitHub is the best tool you can rely on for this. Today, when searching for new recruits for their project, most companies look into the GitHub profiles. If your profile is available, you will have a higher chance of being recruited even if you are not from a great university or college.
4. Markdown
Markdown allows you to use a simple text editor to write formatted documents. GitHub has revolutionized writing by channeling everything through Markdown: from the issue tracker, user comments, everything. With so many other programming languages to learn for setting up projects, it’s really a big benefit to have your content inputted in a format without having to learn yet another system.
5. GitHub is a repository
This was already mentioned before, but it’s important to note, that GitHub is a repository.
What this means is that it allows your work to get out there in front of the public. Moreover, GitHub is one of the largest coding communities around right now, so it’s wide exposure for your project.
6. Track changes in your code across versions
When multiple people collaborate on a project, it’s hard to keep track of revisions—who changed what, when, and where those files are stored. GitHub takes care of this problem by keeping track of all the changes that have been pushed to the repository. Much like using Microsoft Word or Google Drive, you can have a version history of your code so that previous versions are not lost with every iteration.
7. Integration options
GitHub can integrate with common platforms such as Amazon and Google Cloud, services such as Code Climate to track your feedback, and can highlight syntax in over 200 different programming languages.

2. What is the difference between authentication and authorization?

what is the difference between authentication and authorization? Simply put, authentication is the process of verifying who someone is, whereas authorization is the process of verifying what specific applications, files, and data a user has access to.

3. How can we prevent a request from being fulfilled? Like trying to access a private GitHub repo of someone else?

Using validation and custom rules to block specific situations or users from accessing parts where security is required.

4. After the user logs in using the backend end-point we create, how can we can keep that user logged in all the time without asking them to login again each time they visit the website or send a request that require authentication?

The better way is to never let a user's information leave the server, except for the id.
When the user logs in, generate a large (128 to 256 bit) random token. Add that to a database table that maps the token to the user, and then send it to the client in the cookie

an API token is similar to a password and allows you to authenticate to Dataverse Software APIs to perform actions as you. Many Dataverse Software APIs require the use of an API token

5. What is base64 encoding?

The base64 is a binary to a text encoding scheme that represents binary data in an ASCII string format.

When data transfer over the network, it is chopped into chunks called packets, and each packet contains data in binary format(0101000101001), base64 It takes binary data and transforms it into a long string of plain text.

6. What are salt rounds? how does it work?
   salt is a random string added to the hashing password, since hashing passwords return the same length for the specific password, they are predictable.
   When you have hushing + salt, the hash algorithm’s output is no longer predictable. Because you are adding an automatically random string to the hashing algorithm each time and you do not need to store it in a database.

7. What is Caesar Cipher? How only the communicating sides knows how to decrypt the message?

is an encryption technique. It is a type of substitution cipher in which each letter is replaced by another letter located a little further in the alphabet.
The communicating is based on shifted letters.
Example: Crypt DCODEX with a shift of 3.
To encrypt D, take the alphabet and look 3 letters after: G. So D is encrypted with G.
To encrypt X, loop the alphabet: after X : Y, after Y : Z, after Z : A. So X is coded A.
DCODEX is coded GFRGHA

source:
Q2: https://www.sailpoint.com/identity-library/difference-between-authentication-and-authorization/
Q3:https://blog.logrocket.com/how-to-handle-data-validation-in-node-using-validatorjs/
Q4: https://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach
Q5: https://levelup.gitconnected.com/what-is-base64-encoding-4b5ed1eb58a4
Q6:https://heynode.com/blog/2020-04/salt-and-hash-passwords-bcrypt/
Q7: https://www.dcode.fr/caesar-cipher