Authentication & Security Flashcards
Level 1 - Register Users with Username and Password
Setup mongoose and mongoDB
npm I mongoose
const mongoose = require(“mongoose”); mongoose.connect(“mongodb://localhost:27017/credentials”);
Run mongodb
terminal: mongod
By default, it listens to port 27017
1. Create schema const userSchema = { … }; 2. Create model based on the schema const User = new mongoose.model(“User (singular)”, userSchema); Set up post to /register
Level 2 - Database Encryption
Encryption
The process of encoding and decoding messages
Cipher
An algorithm to performing encryptions and decryptions
Install and use mongoose-encryption
1. npm i mongoose-encryption
2. const encrypt = require(‘mongoose-encryption’);
3. Schema should be created used new mongoose.Schema
4. Two methods of generating keys
Method 1
5. Modifying to only encrypt certain fields, in this case only passwords
Encryption occurs when ‘save’
Decryption occurs when ‘find’
Level 2 [cont’d]
Using Environment Variables to Keep Secrets Safe
What are environment variables and how does it keep secrets safe?
Basically a file where secret keys are contained in
dotenv
Very popular npm package that is used for working with environment variables
Installation & Usage
1. npm i dotenv
2. In .js file:
Place require(‘dotenv’).config() at the very top of the js file
3. Create a “.env” file in the root of the directory of project
4. Add environment variables to the .env file
Format:
NAME=VALUE
5. Accessing environment value
process.env.
6. Place the .env file into a .gitignore
Level 3 - Hashing Passwords
We won’t need an encryption key for hashing
How it works
Password -> -> Hash
Store the Hash in the database
This makes it so that we do not have to store the user’s password
Hash Functions are 1-way function
Easy to “encrypt” a password, but almost mathematically impossible to go back and be able to find the password
md5
npm package for Hashing
Hacking 101
- Hash of the password is obtained
- Reverse hash table (pre-build hashtables) can be generated and a powerful computer can be used to hack the password
- Dictionary Attack
Level 4 - Salting and Hashing Passwords with bcrypt
Prevents dictionary attacks or hash table attacks
Salting
Password + Salt (Random set of characters) are given to the Hash Function to generate the Hash
Salt value is stored in the database, along with the hash
bcrypt
Industry standard hashing algorithms that developer’s use
Makes it much slower to generate the hashes
Only works for specific and stable versions of node.js
Also uses salt rounds
Salt Rounds
Number of rounds/iterations to salt the password
More rounds -> More secure it is
nvm
Node version manager
Allows using switching between multiple versions of node
What are cookies and sessions?
Cookies and Sessions store information from browser interaction
Cookies
Stored on the browser
Session
Stored on the browser, as well as the server
Cookies are created in response to a POST request
Cookies are saved, and can be retrieved in the GET request
Session
Period of time that a browser interacts with a server
Cookies are used to maintain a session
Maintains authentication until logging out, which is when the cookie and thus session ends
Using passport.js to Add Cookies and Sessions
npm install:
passport
passport-local
passport-local-mongoose
express-session
Level 6 - OAuth 2.0
Open standard for token based authorization
Delegate security to larger companies (Facebook, LinkedIn)
Why Oath?
1. Grant granular level of access
Can request specific data accordingly
2. Read Only or Read + Write Access
3. Revoke Access
How to setup Oath?
1. Setup App with 3rd party (Facebook, Google, LinkedIn)
Returns an appId or clientId
2. Redirect to Authenticate
3. User logs in
4. User grants permissions
5. Receive authorization code from (Facebook)
6. Exchange authentication code for access token
Receive access token and save into our database
Auth code vs Access Token
Auth code - works one time
Access Token - works multiple times