Authentication From Scratch

What is authentication and why does it matter

authentication definition, authentication vs authorization, identity verification, trust model, HTTP statelessness, session problem

How passwords should be stored in a database

plaintext password risks, hashing vs encryption, bcrypt algorithm, salt, work factor, rainbow table attacks

What is HTTPS and why auth requires it

TLS handshake, man-in-the-middle attacks, certificate authority, HSTS, mixed content, HTTP vs HTTPS for credentials

Common authentication attack types explained

brute force attacks, credential stuffing, phishing, session hijacking, CSRF, replay attacks, rate limiting as defense

Setting up an Express project for auth development

Express setup, middleware stack, environment variables, dotenv, project structure, nodemon, basic route skeleton

How cookie-session authentication works

session lifecycle, session ID, server-side session store, Set-Cookie header, session cookie vs persistent cookie, session fixation

How to set up express-session in Node.js

express-session package, session options, secret, resave, saveUninitialized, cookie options, HttpOnly, Secure, SameSite

Storing sessions in a database instead of memory

MemoryStore limitations, production session stores, connect-pg-simple, connect-redis, session table schema, session store connection

Building login and logout routes with sessions

login route, credential verification, session creation, logout route, session destroy, protected route middleware, req.session.userId

How to implement a remember me feature

persistent cookies, maxAge, remember me checkbox, long-lived session, security tradeoffs, absolute vs sliding expiry, re-authentication for sensitive actions

What is a JWT and how is it structured

JWT definition, header, payload, signature, base64url encoding, claims, iss aud exp sub, token inspection

How to sign and verify JWTs in Node.js

jsonwebtoken package, jwt.sign, jwt.verify, secret key, algorithm options, token expiry, verification errors, algorithm confusion attack

Where to store JWTs in the browser

localStorage vs httpOnly cookie, XSS risk, CSRF risk, token storage tradeoffs, Authorization header, Bearer token pattern

Access tokens and refresh tokens explained

access token lifetime, refresh token lifetime, token rotation, refresh endpoint, silent refresh, token family tracking, refresh token reuse detection

How to invalidate JWTs before they expire

JWT statelessness problem, token blacklist, short expiry strategy, token versioning in DB, logout and token invalidation, jti claim

How OAuth 2.0 authorization code flow works

OAuth 2.0 roles, authorization server, resource server, client, authorization code, access token, redirect URI, state parameter, PKCE

Setting up Google OAuth with Passport.js

passport-google-oauth20, Google Cloud Console setup, client ID, client secret, callback URL, GoogleStrategy configuration, serializeUser, deserializeUser

How to link social accounts to existing users

account linking, email matching, multiple providers, googleId vs githubId columns, merging accounts, preventing duplicate accounts, conflict resolution

Adding GitHub OAuth login to an Express app

passport-github2, GitHub OAuth App setup, GitHub profile structure, scope parameter, public vs private email, handling users with no public email

OAuth callback routes and session handling with Passport

passport.authenticate, failureRedirect, successRedirect, custom callback, req.login, req.logout, req.isAuthenticated, route protection with passport

How to add rate limiting to login endpoints

express-rate-limit, sliding window, brute force prevention, per-IP limiting, per-username limiting, lockout vs slowdown, 429 status code

CSRF protection for cookie-based auth

CSRF attack mechanics, synchronizer token pattern, csrf package, double-submit cookie pattern, SameSite cookie attribute, when CSRF applies

Input validation and sanitization for auth routes

express-validator, email validation, password complexity rules, input sanitization, SQL injection via auth fields, error message consistency, reject unknown fields

Setting security headers with Helmet.js

Helmet.js, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy, Permissions-Policy, security header defaults

How to implement email verification for new accounts

email verification flow, verification token generation, crypto.randomBytes, token expiry, database schema, resend verification, preventing login before verification

How to build a secure password reset flow

password reset token generation, token storage and expiry, reset email, constant-time comparison, token invalidation after use, account enumeration prevention

What is TOTP and how two-factor authentication works

TOTP definition, HMAC-based OTP, time-step, shared secret, authenticator apps, QR code provisioning, backup codes, MFA vs 2FA

How to set up TOTP in Node.js with speakeasy

speakeasy package, secret generation, QR code generation, TOTP verification, window parameter, enabling MFA on user record, step-by-step setup flow

How to enforce MFA during the login flow

two-step login, partial authentication state, MFA challenge step, session state machine, MFA bypass risks, remember device token

How to use backup codes for MFA account recovery

backup code generation, hashing backup codes, one-time use enforcement, backup code redemption endpoint, code regeneration, user education