Authentication and authorization flow

Authentication and authorization are usually challenging topics. Based on use cases, specific strategies may or may not be feasible. For this project, we will implement the authentication layer via JSON Web Tokens, commonly known as JWTs.

JWT

This is a widely used standard for token-based authentication for web and mobile applications. It is an open standard that allows information to be transmitted securely between the client and the server. Every token has three parts. First, the header contains information about the type of token and the cryptographic algorithms used to sign and encrypt the token. Then, the payload includes any metadata about the user. Finally, the signature is used to verify the token’s authenticity and ensure it has not been tampered with.

Before looking at the implementation in Fastify, let’s briefly explore how this authentication works. First, the API needs to expose an endpoint for the registration. This route will enable users to create new accounts on the service. After the account is created correctly, the user can perform authenticated operations against the server. We can break them down into seven steps:

1. To initiate the authentication process, the user provides their username and password to the server via a specific endpoint.
2. The server verifies the credentials and, if valid, creates a JWT containing the user’s metadata using the shared secret.
3. The server returns the token to the client.
4. The client stores the JWT in a secure location. Inside the browser, it is usually local storage or a cookie.
5. On subsequent requests to the server, the client sends the JWT in the Authorization header of each HTTP request.
6. The server verifies the token by checking the signature, and if the signature is valid, it extracts the user’s metadata from the payload.
7. The server uses the user ID to look up the user in the database.

From here on, the request is handled by the authorization layer. First, it must check whether the current user has the necessary permissions to perform the action or access the specified resource. Then, based on the result of the check operation, the server can answer with the resource or an HTTP Unauthorized error. They are many standardized ways of implementing authorization. In this book, we will implement our simple solution from scratch for exposition purposes.

Authentication versus authorization

Even if these terms are often used together, they express two completely different concepts. Authentication describes who is allowed to access the service. On the other hand, authorization defines what actions can be performed by the user once authenticated.

The authorization and authentication layers are crucial to building secure web applications. Controlling access to resources helps to prevent unauthorized access and protect sensitive data from potential attacks or breaches.

In the next section, we will start from where we left the code in Chapter 7, implementing a new application-level plugin for authentication.