What are Authentication and Authorization?
: Authentication and Authorization are functions which used often in every API.
Authentication
Authentication is a step to check the identification of users.
In other words, it is a way in which the users identifies themselves.
Also, Authentication is needed when tracking who and how uses our service.
In a step of Authentication, user id, email, and password are required, and the password is the most important for keeping security (Because the law in South Korea mandatory to secure password).
Bcrypt
Passwords must be managed through an HTTPS site encrypted by applying SSL when sending and receiving personal information during communication.
Encryption proceeds through a 'one-way hashing'.
Salting: Attaching a random value to a user's password.
Key stretching: repeating salting and encryption.
=> Salting and Key stretching are to significantly increase the time for hackers to decrypt.
Bcrypt is a representative library of salting and keystretching.
Since bcrypt stores the salt value, the hash value, and the number of iterations in the hash result value, there is no need to complicate the DB design in applying password hashing.
And when users logging in, run the same bcrypt process to make sure it is the same as the previous password.
Authorization
First of all, one of the characteristics of HTTP is that requests and responses previously made are not stored due to stateless nature.
Thus at user login,
The server delivers the JSON Web Token to the client computer.
This token is stored in local storage or session storage.
JSON Web Token
Configuration: [Header.Content.Signature]
-
Header: contains token information, metadata, algorithm information, etc.
(It is encoded.) -
Content: contains User ID (specific information that can only be known to the client and server computers), expiration time, and private claim used under an agreement between servers.
(Sensitive information like social security number is not recorded because it is information that can be recognized by others during decoding.) -
Signature: contains sensitive user information that is encrypted.
(A signature created by a site can be decrypted only at that site (i.e., a JST secret is created separately to enable encryption and decryption in both directions).
=> Sensitive information can only be contained in the signature, not header and content.
