taniarascia/auth.md

Last active July 5, 2024 05:43

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/taniarascia/a2d35af43ce133de20ac0a8c72558fea.js"></script>
Save taniarascia/a2d35af43ce133de20ac0a8c72558fea to your computer and use it in GitHub Desktop.

Download ZIP

JavaScript Authentication & Authorization Book/Course

Raw

auth.md

Authentication in Real-World Web Apps with JavaScript

Outline of ideas, concepts to cover, potential projects to write.

Setup Idea

Book with a video for each chapter.

Prerequisites/Overview

HTML, CSS, JavaScript
Front end/client side (Browser)
Back end/server side (Node)
REST APIs
HTTP codes

Concepts

Authorization (AuthZ)
Authentication (AuthN)
Cryptography
Headers
Sessions
JSON Web Tokens (JWT)
Identity Provider (IDP)
Cross-origin resource sharing (CORS)
Single sign on (SSO)
Multi-factor authentication (MFA)

Vulnerabilities

Leaking sensitive data
Storing unencrypted passwords
Cross-site request forgery (CSRF/XSRF)
Cross-site scripting (XSS)

Persistence

Cookies
- HTTP Only/Secure/SameSite
Web Storage
- Local Storage
- Session Storage

Specifications/Protocols/Terms/Standards

OAuth 2.0
- Client-side app
  - Proof Key for Code Exchange (PKCE)
  - Implicit grant
- Server-side app
  - Authorization Code Flow (Authorization Code grant)
OpenID Connect (OIDC)
System for Cross-domain Identity Management (SCIM)
Role-based access control (RBAC)

Project

Create a full-stack application
- Simple front end
- Node/Express back end
- Implements sign up, log in, log out, reset password
- Login 1: Custom username/password login
- Login 2: OAuth 2.0/OIDC with Google/Twitter/GitHub as the SSO IDP (Google OIDC, Google OAuth 2.0)
- Ability to associate SSO to an existing user
- Different roles (admin, user, maybe one more)

Topics to Cover

When to use different strategies (for example, PKCE in a client-side only app, session cookies for a BE+FE on the same subdomain, etc).

MarcinHoppe commented Jun 10, 2020

I'd add a few things, listed by category:

Concepts

Basics of cryptography needed to explain password hashing (will be useful later when implementing username/password login)
Perhaps obvious, but logging the user out is missing
Session management for event such as password reset, account recovery etc.
Multifactor authentication would probably be good to mention

Vulnerabilities

Leaking sensitive data like tokens, passwords, etc.

Protocols

Maybe just mention SAML. It is still the protocol in the enterprise space.

Project

Username/login option should include signup and password reset. It is often done poorly and leads to security vulnerabilities. I think there is value in explaining how to do it correctly

Codeindeed commented Jun 10, 2020

Wow looking up to read them soon

creative-cranels commented Jun 11, 2020

Awesome! Looking forward to read it (: good luck!!!
https://aaronparecki.com/oauth-2-simplified/
This article made me easier to understand oauth2

JamesOkunlade commented Jun 11, 2020

Really looking forward to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment