Skip to content

Authentication Explained

Jump to bottom
Ash Mishra edited this page Nov 27, 2017 · 2 revisions

This document explains the current User authentication and authorization system.

Definitions

Authentication is the act of logging a user in.

Authorization is the act of verifying the access rights of a user to interact with a resource.

High level Authentication Picture:

  1. In the current model, when the user wants to log in via a client (the browser), it enters its username and password and clicks log in.
  2. An send action, the client makes a POST request to /api/authenticate route with the username and the password as the payload.
  3. The server receives this payload, and first sees if the username exists in the DB and the password matches the hashed password stored in the DB.
  4. If it does, the server creates an authentication token (JWT) using a secret key that only the server knows.
  5. Then the server returns this JWT token with a status code 200 success to the client.
  6. After which, for each subsequent request that is restricted to a registered user, the client will need to send that JWT in its payload to the server.
  7. The server decrypts the JWT, and if valid, proceeds with the request, else cancels it.

Below is a high level diagram of the entire process:

High level process diagram

Clone this wiki locally