What is Authentication ?

Authentication is the process of verifying the identity of a user or system. It ensures that the entity requesting access is who or what it claims to be. This process is critical in securing systems and data from unauthorized access.

Types of Authentication:

• Password-based Authentication
• Two-Factor Authentication (2FA)
• Multi-Factor Authentication (MFA)
• Biometric Authentication
• Token-based Authentication

These are the following topics that we are going to discuss:

What is Basic Authentication?

Basic Authentication is a simple authentication scheme built into the HTTP protocol. It involves sending a base64-encoded string that contains the username and password with each request to the server. Basic Authentication is straightforward and easy to implement but has some security limitations.

How to use it?

It is used to secure web applications and APIs by requiring a username and password to access certain resources.

• Client Request: When a client tries to access a protected resource, the server challenges the client by responding with a 401 Unauthorized status code and a WWW-Authenticate header indicating that Basic Authentication is required
• Server Validation: The server decodes the base64 string to retrieve the username and password, then validates these credentials against its user database. If the credentials are correct, the server grants access to the resource; if not, it returns a 401 Unauthorized status again.

Syntax

const express = require('express');
const app = express();

app.use((req, res, next) => {
    const authHeader = req.headers['authorization'];
    if (!authHeader) {
        res.setHeader('WWW-Authenticate', 'Basic realm="example"');
        return res.sendStatus(401);
    }

    const base64Credentials = authHeader.split(' ')[1];
    const credentials = Buffer.from(base64Credentials, 'base64').toString('ascii');
    const [username, password] = credentials.split(':');

    if (username === 'user' && password === 'pass') {
        next();
    } else {
        res.setHeader('WWW-Authenticate', 'Basic realm="example"');
        res.sendStatus(401);
    }
});

app.get('/', (req, res) => {
    res.send('Hello, authenticated user!');
});

app.listen(3000, () => {
    console.log('Server running on port 3000');
});

Advantages of Basic Authentication

• Easy to implement and use.
• Requires minimal configuration and setup.
• Supported by most HTTP clients and servers.
• Does not require cookies or session identifiers.

Disadvantages of Basic Authentication

• Transmits credentials in base64-encoded format, which is easily decodable.
• Highly vulnerable to interception if used over HTTP instead of HTTPS.
• Users must repeatedly send credentials with each request.
• Limited to username and password authentication.

What is Bearer Token?

A Bearer Token is a type of access token that is used to authenticate users and authorize access to resources in web applications and APIs. It is part of the OAuth 2.0 authorization framework, which is widely used in modern web and mobile applications. The token is called a “bearer” token because it grants access to the bearer, meaning whoever holds the token can access the associated resources.

How to use it?

Using a Bearer token typically involves a few straightforward steps, especially in web applications where it’s commonly used for API authentication.

• Obtain a Bearer Token: Before you can use a Bearer token, you need to obtain one from an authentication server. This often involves an initial authentication step where the user or client application provides credentials (like username/password or other authentication details) to the server.
• Send the Request: With the Authorization header set, send your HTTP request GET, POST, etc. to the API endpoint you want to access.
• Server Validation: The server receiving your request will extract the Bearer token from the Authorization header. It then validates the token to ensure it’s legitimate, hasn’t expired, and grants access to the requested resource based on the token’s permissions.

Syntax

const url = 'https://api.example.com/data';
const token = 'your_bearer_token';

fetch(url, {
    headers: {
        'Authorization': `Bearer ${token}`
    }
})
    .then(response => {
        if (!response.ok) {
            throw new Error('Network response was not ok');
        }
        return response.json();
    })
    .then(data => {
        console.log('Data received:', data);
    })
    .catch(error => {
        console.error('Error fetching data:', error);
    });

Advantages of Bearer Token

• This reduces server-side storage requirements and can improve scalability.
• Bearer tokens can be used across different domains and services, making them versatile for distributed systems and microservices architectures.
• Tokens can be scoped to provide limited access to specific resources or actions, enhancing security by minimizing exposure of sensitive data.
• Tokens can be easily revoked by the authentication server. This allows administrators to quickly terminate access without affecting other sessions.

Disadvantages of Bearer Token

• Bearer tokens, if intercepted or leaked, grant access until expiration, emphasizing the need for secure transmission and handling practices.
• Clients must securely store tokens to prevent unauthorized access; insecure storage methods (e.g., local storage, cookies) can be vulnerable to XSS attacks.
• Managing token expiration and refreshing tokens without disrupting user sessions adds complexity to implementation.
• Bearer tokens can be large, especially with cryptographic standards like JWT, impacting bandwidth and storage

Difference between Bearer Token vs. Basic Authentication