#Learning Journal Week 4
Monday we learned about basic-auth. A not-so-secure method of creating authorization for a user to have access rights to an application. Tuesday we learned a more secure and harder to hack authorization mehtod known as bearer-auth Thursday we practiced travis ci deployment, making tests pass for successfull deployment
My primary focus for this week was to wrap my head around authorization so I can implement into future projects. Here are the notes I took in relation to my interests
#Part 2 Authorizations 1)client request to backend will be a https request
2)the backend will hash the password(and store it) then generate a token seed(aka compare-hash)
Once the password is hashed, the password is stored and never used again except to re-login or change password. The hash compare is a generated hahsed password compared to your hashed password
- Create a token
4)send token back to the user. Client stores the token/. Tokens can have a timer of inactivity token that will automatically log out after a certqin amoutn of time
NOTE: Making a mock is important so you cna test one thing at a time. like testing for api, then get, then post, etc. This allows you to make mock data for your test cases
#PART 2
#Editpad.org website used in the demo to generate a token
cmpare hadns/token seed ---> crypto "secret ----> Token ------> Token Seed returns
//this is for basic-auth-middleware.js jsonWebToken.verify(token, process.env.APP_SECRET, (err, decodedValue) => { //jsonWebToken is a library to give us our token if(eror) { err.message = ERROR_MESSAGE return errorHandler(error, response) } //at this point we have our compare hash/token seed Auth.findOne({compareHash: decodedValue.token}) .then(user => { if(!user) return errorHandler(new Error(ERROR_MESSAGE), response) request.user = user //we are mutating the rewquest with a user. We muaute request based on success(verrify we are logged in) return next() })
})
use a crypto algorithim to get our hash password back
#PART crypto gives us a random bcrypto hashes our random password and compares to verify jsonWebToken - crypto algorithm to parse and pass the hashed password back and forth
token seed/compare hash -->token : the token is in the backend and only in the backend(aka the client side). the compare hash goes to the token to recieve access the front end uses the copmare hash on the front end to compare AND validate
Token has to be long, stringified and UNIQUE! Used to identify the user name in a encrypted way
client ==> backemnd ===> node/express (mocked ---> mongoDB)