Docs

/

Node Express

Chapter 12

12 — Authentication & Authorization

Core Concepts

Authentication — verifying identity ("who are you?")
Authorization — verifying permissions ("what can you do?")
JWT — JSON Web Token (stateless, signed token)
bcrypt — password hashing (slow by design)
Refresh tokens — long-lived token to get new access tokens
Role-Based Access Control (RBAC) — permissions based on user role

JWT Flow

1. Client sends credentials → POST /api/auth/login
2. Server verifies credentials, creates JWT → &#123; accessToken, refreshToken &#125;
3. Client sends JWT in headers → Authorization: Bearer &lt;token&gt;
4. Server verifies JWT on each request → middleware
5. Token expired → POST /api/auth/refresh with refreshToken

11 — REST API Design 13 — Error Handling & Logging