Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
JavaScript Authentication & Authorization Book/Course

Authentication in Real-World Web Apps with JavaScript

Outline of ideas, concepts to cover, potential projects to write.

Setup Idea

  • Book with a video for each chapter.

Prerequisites/Overview

  • HTML, CSS, JavaScript
  • Front end/client side (Browser)
  • Back end/server side (Node)
  • REST APIs
  • HTTP codes

Concepts

  • Authorization (AuthZ)
  • Authentication (AuthN)
  • Cryptography
  • Headers
  • Sessions
  • JSON Web Tokens (JWT)
  • Identity Provider (IDP)
  • Cross-origin resource sharing (CORS)
  • Single sign on (SSO)
  • Multi-factor authentication (MFA)

Vulnerabilities

  • Leaking sensitive data
  • Storing unencrypted passwords
  • Cross-site request forgery (CSRF/XSRF)
  • Cross-site scripting (XSS)

Persistence

  • Cookies
    • HTTP Only/Secure/SameSite
  • Web Storage
    • Local Storage
    • Session Storage

Specifications/Protocols/Terms/Standards

  • OAuth 2.0
    • Client-side app
      • Proof Key for Code Exchange (PKCE)
      • Implicit grant
    • Server-side app
      • Authorization Code Flow (Authorization Code grant)
  • OpenID Connect (OIDC)
  • System for Cross-domain Identity Management (SCIM)
  • Role-based access control (RBAC)

Project

  • Create a full-stack application
    • Simple front end
    • Node/Express back end
    • Implements sign up, log in, log out, reset password
    • Login 1: Custom username/password login
    • Login 2: OAuth 2.0/OIDC with Google/Twitter/GitHub as the SSO IDP (Google OIDC, Google OAuth 2.0)
    • Ability to associate SSO to an existing user
    • Different roles (admin, user, maybe one more)

Topics to Cover

  • When to use different strategies (for example, PKCE in a client-side only app, session cookies for a BE+FE on the same subdomain, etc).
@stephencweiss

This comment has been minimized.

Copy link

@stephencweiss stephencweiss commented Jun 9, 2020

Initial reaction is that I love the concepts section, but I've seen / read about almost all of those and where I struggle is what a strategy.

I'm kind of envisioning the concepts are the component pieces, but I'd like to see a section that ties them together and specifically addresses why someone might use them in different ways. What are the trade offs that developers need to consider when taking one approach vs another?

Basically - is there a place where you could walk through a few different, contrasting strategies and identify why someone might choose that approach? What would they be getting? What would they be giving up?

If that's already included - yay 🎉 !

@maheshinder19

This comment has been minimized.

Copy link

@maheshinder19 maheshinder19 commented Jun 9, 2020

Awesome. All the best. Looking forward to giving it a read soon!

@MarcinHoppe

This comment has been minimized.

Copy link

@MarcinHoppe MarcinHoppe commented Jun 10, 2020

I'd add a few things, listed by category:

Concepts

  • Basics of cryptography needed to explain password hashing (will be useful later when implementing username/password login)
  • Perhaps obvious, but logging the user out is missing
  • Session management for event such as password reset, account recovery etc.
  • Multifactor authentication would probably be good to mention

Vulnerabilities

  • Leaking sensitive data like tokens, passwords, etc.

Protocols

  • Maybe just mention SAML. It is still the protocol in the enterprise space.

Project

  • Username/login option should include signup and password reset. It is often done poorly and leads to security vulnerabilities. I think there is value in explaining how to do it correctly
@Alinko0

This comment has been minimized.

Copy link

@Alinko0 Alinko0 commented Jun 10, 2020

Wow looking up to read them soon

@creative-cranels

This comment has been minimized.

Copy link

@creative-cranels creative-cranels commented Jun 11, 2020

Awesome! Looking forward to read it (: good luck!!!
https://aaronparecki.com/oauth-2-simplified/
This article made me easier to understand oauth2

@JamesOkunlade

This comment has been minimized.

Copy link

@JamesOkunlade JamesOkunlade commented Jun 11, 2020

Really looking forward to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment