Skip to content

Instantly share code, notes, and snippets.

@w3cj

w3cj/authReview.md

Created December 18, 2015 18:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save w3cj/1ce608c0107325d81062 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save w3cj/1ce608c0107325d81062 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
authReview.md

Authentication and Authorization Review

What is authentication?

Who you are

What is authorization?

What you can access

Name 2 types of Login.

Form-based, OAuth, Single Sign-On

Signing Up

What is the first thing that happens when a user signs up?

POST request with user details in the body

After the POST request is made to the server, what is the next thing the server will do?

Check to see if a user exists with given email

If a user does not exist in the database, what will the server do with the sign up information before inserting it into the database?

Hash the password

What is the npm module used to hash a password?

bcrypt

Signing In

What is the first thing that happens when a user sign ins?

POST request with user details in the body

After the POST request is made to the server, what is the next thing the server will do?

Check to see if a user exists with given email

If a user email DOES NOT exist in the database, what will the server do?

Redirect to login page or error page

If a user DOES exist in the database, what is the next thing the server will do?

Hash the password

After hashing the password, what is the next thing the server will do?

Compare the hashed password with the hash stored in the database

If the hashes match, what will the server do next?

Set a cookie/session and redirect

If the hashes DO NOT match, what will the server do next?

Redirect with error

Authorization

What is authorization?

What you can access

What mechanism is used to determine if a user is logged in?

Cookies/Sessions

What 2 pieces of information are contained in a request that requires authorization?

Who you are (Session/Cookie) and What you would like to do (url/endpoint)

If a user is attempting to update the resource located at /articles/24 What will the server do first?

Lookup the article with an id of 24

If the resource exists, what will the server do next?

Determine if the id of the logged in user matches the creator_id of the article

If the logged in user does not match the creator_id of the article, what are 2 things the server can do?

Redirect to login page, Redirect to some other page, Render/send an access denied message (401), Redirect to 404 page

fin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment