Authentication means confirming your own identity whereas authorization means granting access to the system.
-> 인증(Authentication)은 신원을 확인하는 것이고 인가(Authentication)는 시스템/ resource에 접근을 허가 받는 것이다. 언뜻 보면 비슷해보이지만 분명한 차이가 있는 개념이다.
① Authentication
is about validating your credentials such as Username/user ID and password to verify your identity. The system checks your credentials.
Based on the security level, authentication factors can vary as following.
( Single-Factor Authentication, Two-Factor Authentication, Multi-Factor Authentication (most advanced))
1) Login Process
user id & pw ->
encryption of id & pw , store it in DB ->
compare encryted pw that user filled in with encryted pw stored in DB ->
if identical : Successful Login! ->
transfer "access token" to client!
2) User Password Encrytion
-
User PW MUST BE ENCRYTED when stored (in case of hacking..)
-
One-way hash function is generally used when encrypting pw
(one-way hash function is a mathmetical function that generates a fingerprint of the input but there's no way to get back to original input.) -
one-way hash function creates digest which is an encryted message.
(a message digest function is a cryptographic primitive used for digital signitures & pw protection)
3) Bcrypt (password-hashing function)
one-way hash function has a few weaknesses such as Rainbow table attack..
-
2 ways to secure these weaknesses
① Salting :
salt is random data used as an additional input to a one-way hash function (safeguard pw in storage)
추가적인 임의의 data를 pw에 추가해 계산하는 방법② Key Stretching :
a technique used to make a possibly weak key more secure against hacking? attack by increasing time it takes to test each key.
해쉬값을 반복적으로 해쉬해서 (key를 stretching) hacking을 어렵게 한다!
-
Bycrpt 는 salting과 key stretching을 구현한 hash function!
③ JWT (JSON Web Tokens):
유저가 로그인 성공시에 access token 이라는 암호화된 user info를 첨부해서 request를 보내게 된다.
② Authorization
Authorization occurs after successful authentication.
It gives you full access to resources such as infos, DBs, etc.
(confirm whether user has the request authority)
ex) confirming of employee ID & PW (authentication) --> determining which employee has access to which file (authorization)
- Authentication: create access token ->
append access token in user request->
decode user's access token from server->
get user id from decoding ->
confirm user permission from DB ->
If user has permission, confirm request
otherwise send error code such as 401 (unauthorized Response)
Although distinctively different, Authentication and authorizaion are frequently used in conjunction with each other!
Both very crucial to the web infrastructure when granting access to a system!
③ fetch 이용한 SignIn & SignUp (React)
General Process :
1) User Type in Email -> onChange 함수 실행
2) Email input value setState
3) User Type in Password -> onChanga 함수 실행
4) Password input value setState
5) Click Button -> onClick 함수 실행
6) onClick 함수 안 fetch 함수 -> send Request to server!
7) Server sends Response back after Authetication & Authorization!
8) Page change/error message based on the content of a response
ex>
fetch("api adress", {
method:" GET",
body: JSON.stringify({
email: this.state.id,
password: this.state.pw,
}),
})
.then((response) => response.json())
.then((result) => console.log("success"));-> JSON.stringify() method: used to convert existing Object into String
-> then() method: used for hadling async (비동기 처리)
