I’m creating a MERN full stack app and trying to get my head around authorization and authentication. If I was just to include authentication on the login page (ie. a function that checks if the user and password provided matches that of the database) and then allow the user access to all of their information (let’s say blog posts) and all of CRUD operations, could somebody give me a hypothetical example of how a hacker could access or perform some of these operations without authorization being imposed?
2
Answers
After having successfully authenticated the first request (
POST /login
, say), how do you plan to authenticate the subsequent CRUD requests (GET /myaccountbalance
, say)? You write "then allow the user access to all …", but how do you plan to do that?A well-established mechanism is to establish a session for the user on the server after login and send a session cookie back to the browser, which will then include that session cookie in all subsequent requests. Your server need only validate that a session exists before executing a CRUD request. The cookie thus acts like a session-specific password, and hackers definitively cannot obtain it via cross-site scripting if the cookie is httpOnly. But perhaps you knew that already.
Session handling in express is easy with
express-session
.Here are some examples, not all of which are completely preventable:
If you weren’t using MongoDB, SQL injections would also be a thing to concider.