There are several ways to create an authentication layer in web applications but we are going to be focusing today in Token Based Authentication because of several reasons:
In plain English authentication means being able to identify who is making requests to your API; You normally implement an authentication layer in your application because you want:
To explain in detail "Token Based API Authentication" it's better to start explaining about tokens.
In a broad way a token is a "number that proves something", for example: When you finish making a bank transfer, the bank sends a confirmation "token" serves as proof to validate that the transaction exists and it's valid. That confirmation number could be also called a confirmation token
.
Other examples for every-day tokens:
Tokens used for authentication need to be more that normal just numbers, they need to be almost impossible to fake, predict or break.
There are several types of tokens you can use for your Autentication system like Basic, Bearer, or JWT. Most of them use Advance cryptography algorithms that we are not going to address in this lesson (you can watch this amazing video to learn more). Instead, we are going to talk about hashing.
A hash is a unique alphanumeric number that gets generated from a specific seed or value, for example:
With Python
1import hash_function 2 3value = "alex" 4unique_hash = hash_function(value)
Explanation: the function hash_function
will always return the exact same unique_hash
if the same value is given, take a look at this demonstration, start typing on the input:
With Javascript
1const jwt = require('jsonwebtoken'); 2 3 4const payload = { 5 user_email:'hola@4geeks.co', 6 rol: 'admin' 7} 8const unique_hash = jwt.sign(payload, 9'secret-key', 10{ 11 expiresIn: '1000' 12});
Explanation: the function jwt.sign
will always return the exact same unique_hash
if the same value is given, take a look at this demonstration, start typing on the input:
Note: There are several popular hashing functions: MD5, Sha1, Sha256, Sha256, etc.
Hashing functions have become the best way to generate tokens in the security world because:
Note: Every bitcoin wallet address has unique a hash, every commit you do in github has a unique hash, etc.
The most simple way to implement autentication in your database and API:
User
table/model that represents every user inside your application.POST /token
that generates a token only if it receives an email and password that maches in the database.POST /token
endpoint will return the token to the front-end if everything is ok.The moment you generate the token you can decide if you want it to expire, same way web sessions expire when you log in into your online bank account.
When a client successfully authenticates it will receive that unique token and it will be able to attached to the request headers of every request it makes from that moment on, that token will be the "User session".
It is recomended to save that token in the cookies or localStorage of your front-end application.
1let myToken = "aDSA45F$%!sd&sdfSDFSDFytrefERF"; 2localStorage.setItem("token", myToken); 3 4 5//You can retrieve the token any moment, anywhere in your application by using: 6let myToken = localStorage.getItem("token);
If you are doing a request from the Front-End this will be an ideal way to attach the token to your Authorization headers:
1let myToken = localStorage.getItem("token); 2fetch('https://myApi.com/path/to/endpoint', { 3 method: "POST", //or any other method, 4 headers: { 5 "Authorization": myToken, // ⬅⬅⬅ authorization header 6 }, 7 body: JSON.stringify(body) 8}) 9 .then(resp => resp.json()) 10 .then(data => console.log("Success!!", data)) 11 .catch(error => console.log(error)); 12
I strongly recomend using Flask JWT Extended.
Generate tokens with Node JSONWebToken. Also use Express JWT to enfore the private endpoints Express JWT.