Class 08

Resources:

• Basic Auth vs. Bearer Token
• JWT authentication: When and how to use it
• Best practices for managing and storing secrets including API keys and other credentials
• What is encryption? / Types of encryptio
• Bearer Authentication
• What Does Secret Key Mean?
• Understanding JWT Authentication with Node.js

Review, Research, and Discussion

1. When is Basic Authorization used vs. Bearer Authorization?
   • The basis Auth allow you to access the API directly with your credential : user/password.
   • To access the API with a bearer token you will need to make 2 call : one to get the bearer token, one to get the data
   • A Bearer token is an random string, every time different, used only by the server. It is not saved in database
2. What does the JSON Web Token package do?
   • Verify JSON Web Tokens
   • JWTs can be used as an authentication mechanism that does not require a database. The server can avoid using a database because the data store in the JWT sent to the client is safe.
3. What considerations should we make when creating and storing a SECRET?
   • Never store unencrypted secrets in .git repositories
   • Avoid git add * commands on git
   • Use encryption to store secrets within .git repositories
   • Use environment variables
   • Default to minimal permission scope for APIs

Vocabulary Terms

1. Encryption
   • Encryption is the method by which information is converted into secret code that hides the information’s true meaning.
   • In technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also known as ciphertext.
2. Token
   • Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. During the life of the token, users then access the website or app that the token has been issued for, rather than having to re-enter credentials each time they go back to the same webpage, app, or any resource protected with that same token.
3. Bearer
   • Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources.
4. Secret
   • A secret key is the piece of information or parameter that is used to encrypt and decrypt messages in a symmetric, or secret-key, encryption.
5. JSON Web Token
   • is a standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. The compact size makes the tokens easy to transfer through an URL, POST parameter, or inside an HTTP header. The information in a JWT is digitally signed using a secret or public/private key pair.