0 to Auth in an Hour Using NodeJS SDK

Rate this content
Bookmark

Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.


We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:

- User authentication - Managing user interactions, returning session / refresh JWTs

- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions


At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.


Table of contents

- A quick intro to core authentication concepts

- Coding

- Why passwordless matters


Prerequisites

- IDE for your choice

- Node 18 or higher

This workshop has been presented at Node Congress 2023, check out the latest edition of this JavaScript Conference.

FAQ

Dscope is an authentication platform designed to assist developers in implementing secure authentication methods seamlessly into their applications.

The workshop led by Asaf will focus on adding passwordless authentication to a standard Node application. It includes an overview of basic authentication concepts, the integration of an authentication layer into an existing application, and practical coding sessions.

Participants are expected to have a basic understanding of Node and the Express framework, a GitHub account, an IDE of choice, and Node version 18 or higher.

Passwordless authentication is a security approach that does not require users to enter a password. Instead, it uses alternative methods such as biometrics, magic links, or one-time passwords to verify user identity.

Session management can be handled through server-side sessions where the server stores session data and provides a session ID to the client, or through client-side tokens such as JSON Web Tokens (JWTs), which contain user credentials and are validated by the server with each request.

Asaf discusses three primary types of authentication factors: something you know (like a password), something you have (such as a mobile device), and something you are (like a fingerprint or facial recognition).

JWT, or JSON Web Token, is a compact, URL-safe means of representing claims to be transferred between two parties. In authentication, JWTs are used to securely transmit information about an authenticated party and are signed for integrity verification.

Refresh tokens are used to maintain a user's authentication status without requiring them to log in multiple times. When an access token expires, a refresh token can be used to obtain a new access token, ensuring continuous authentication.

Participants will gain a better understanding of authentication workflows, learn to add authentication layers to Node applications, and handle both passwordless and traditional authentication methods.

Asaf Shen
Asaf Shen
63 min
10 Apr, 2023

Comments

Sign in or register to post your comment.

Video Summary and Transcription

This Workshop focuses on adding passwordless authentication to a node application, covering basic authentication concepts and the importance of authentication for application security. It explores session management using server-side sessions and client-side tokens like JWTs. The Workshop demonstrates the implementation of various authentication methods, including one-time password and OAuth. It also discusses the validation and refreshing of session tokens, as well as the customization of authentication methods and the storage of public keys for multiple instances.

1. Introduction to Authentication Workshop

Short description:

In this workshop, we will be adding passwordless authentication to a standard node application. We will cover basic authentication concepts, the importance of authentication for application security, and how to incorporate authentication into a node application. By the end of the workshop, you will have a better understanding of the authentication workflow and be able to add authentication to your own applications.

Let me start with introducing myself. My name is Asaf. I'm a software engineer at Dscope. Dscope is an authentication platform that helps all developers facilitate authentication in a secure manner.

In the next workshop, we are going to add a passwordless authentication to a standard node application. We are going to start by overviewing some basic authentication concepts and basically to go over the flaws that we are going to add. This is like a background and knowledge that needs to that we need to acquire in order to incorporate the authentication properly. And this will probably take about 15 minutes and in the rest of the time, we are going to take an existing application and it's the authentication layer for it.

If you ask what's in it for me in this workshop. So I believe that by the end of the workshop, you will be you have a better understanding of the authentication workflow. This is something that may seem a bit intimidating at start, but I think it's quite simple if you go over it well. And maybe more importantly, I think you will be able to take a standard of application and add authentication on top of it. If you have any node application, you can take it and add authentication in a few steps.

Like I said before, we start with the core concept and afterwards we are going to do the coding and I'll give more information about that later. Hello to the person who wrote the chat. I'm very excited as well. I'm going to assume that you have a basic understanding on Node and the Express framework. The application is written in TypeScript. So, probably if you also know JavaScript, I think it's enough. We don't heavily use TypeScript, but the Node application will be written in TypeScript. Also, just to prepare for the coding session, if you want to do it on your own, you should have a GitHub account, any ID that you choose to code on, and Node version 18 or higher. So, this is up to you, but of course, I'm going to do it here, so this is optional, of course.

Let's start with covering the very basic concept. So, what is authentication? What authentication is? The way I see it, authentication process is basically verifying someone's identity. The internet is a very distributed place, so if someone on another machine says that there are some someone, whether it's a user or a system or a device, they basically have to prove it before they want to access the application, the application, specific resource on the application or the system. This is a very, very essential aspect of the application security. And this is a, we use the authentication layer basically to protect our system for unauthorized access. And this is something that is super important in the digital age. There are so many data breaches, identity thefts in the world. Doing proper authentication is crucial for your application security.

2. Authentication Importance and Factors

Short description:

We will discuss the importance of investing in secure applications and the different authentication factors, such as something you know, something you have, and something you are. Additionally, we will explore new factors like geographic and behavioral factors. After verifying the proof and identity, the application grants the user access through a session or token.

And we hear more and more about incidents of unauthorized access. And if we want to write a secure application, we should invest in it. Just as a side note, we have a really good learning center with a lot of graphical assets there. I sometimes go back there and refresh my memory. And there is a link in the presentation which is also going to be shown.

So what are we going to build? And this is more related to the flows that we want to add. If we break down the parts of the steps of authentication, we can basically break it down into two major steps. The first step is when the user wants to access the resource or the application in the first time, they should authenticate. So usually it starts by a user wants to access the resource. He submits some kind of request to access. The user usually provides its identity. This can be more basically an email, a username. Mobile number, social security ID or what? This is very application specific. And a proof is usually something that basically as you prove who you are.

There are a few authentication proof factors that usually they call factors. An authentication factor is basically based on something you know, for example, a password or maybe a security question. By the way, a quick tip in security question, usually if you care about security, don't answer the real information because usually this is something that is very simple to get this information, like your pet name, etc. Another authentication factor is something you have, a very common example for this is a mobile device. So if I send you an SMS with a code, and then you give back the code to me, I can say, this is basically proof that you have a mobile device. And also something you, basically something you are or something you inherit. This is a relatively new factor of biometric information, either with a fingerprint or face recognition. I also heard about solutions that scan iRetina and stuff like this. Did someone have an idea or heard about more authentication factor other than the three that we mentioned? Something you know, something you have, something you are?

So just like, and just to share from our experience, there are somewhat new factors of a geographic factor. So basically, if you log in from a certain geographic location, this is something that usually makes you either suspicious or not suspicious. If you heard about an impossible traveler scenario when a same user accesses the same application from both locations, that basically a person cannot change the location in that amount of time. And another one is behavioral factor. Basically, if you behave in a way that is not suits you, like you access results that you are not used to access or the rate, this is another factor. So basically, after the application gets the proof and the identity, it's verified, basically check that they match. And then the application grants the user access. This access usually grants in a way of a session or a token.

QnA