Overview
Authentication is the process of verifying the identity of a user or system. This guide covers common strategies, best practices, and code snippets to help you implement secure authentication in your applications.
JSON Web Tokens (JWT)
JWTs are compact, URL‑safe tokens that contain a set of claims. They are often used for stateless authentication.
const jwt = require('jsonwebtoken');
function generateToken(payload) {
return jwt.sign(payload, process.env.JWT_SECRET, { expiresIn: '1h' });
}
function verifyToken(token) {
try {
return jwt.verify(token, process.env.JWT_SECRET);
} catch (e) {
return null;
}
}
OAuth2 Authorization Code Flow
The Authorization Code Grant is the most common OAuth2 flow for web apps.
GET /authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=openid profile email
// After user consents, the server redirects:
GET /callback?code=AUTHORIZATION_CODE
// Exchange code for tokens:
POST /token
grant_type=authorization_code
code=AUTHORIZATION_CODE
redirect_uri=YOUR_REDIRECT_URI
client_id=YOUR_CLIENT_ID
client_secret=YOUR_CLIENT_SECRET
Code Examples
Below is a simple login form with client‑side validation. The form demonstrates how to submit credentials to a mock endpoint.
FAQs
- Is storing JWT in localStorage safe? Prefer HttpOnly cookies to mitigate XSS risks.
- How often should tokens be rotated? Implement short lifetimes (15–60 minutes) and refresh tokens.
- Should I hash passwords? Always store passwords using a strong hashing algorithm like bcrypt or Argon2.