Node week 3 - authentication

[magdazelena]

Closes #276

Initial materials for the node week 3 focusing on authentication of APIs. There is still a bunch of todos and everything needs to be reviewed, also by me, as I used agent to write examples according to my scenarios. There is also a bunch of references to material from week 1 and 2 which is going to be worked on in a separate PR. For detailed information please read the issue linked.

[YurijPaharev]

Since we are adding users, should we also focus on distinction of authentication and authorization to show that you can log in with one user and not receive information about the other?

[magdazelena]

very good point, I'll think if that should go into additional reading or scope of the session

[magdazelena]

I added that into preparation as well as assignment. I reckon there won't be enough time during the session to discuss that in detail.

[YurijPaharev]

Should we mention rules for creating strong passwords? Even if the password is hashed, it still can be cracked with the rainbow tables, so maybe it is worth demonstrating why writing "admin" is a bad idea. Perhaps we can show it with a small brute-force script that uses rockyou.txt as an example

[magdazelena]

yesss we had something like that in uni, it's really fun. Also benchmarks for breaking encryption, I vaguely remember but there was something on how much time it adds to break encryption based on length and complexity etc.

Would you mind looking into some resource for any of that (or both)?

[YurijPaharev]

Should we mention different types of hashing and what hashing function is, or it would be a bit too overwhelming?

[magdazelena]

There is a slot for that in prep, I would perhaps add that in there? Do you have any recommendation for reading materials here or maybe a youtube video? I thinks it's a good thing to know, but I can imagine in the session that explode to 30min of questions :D

[YurijPaharev]

Should we probably move session-based before JWT? And also, should we consider showing usage of third-party as a final implementation? (like Firebase or Supabase), showing that we can mitigate so much overhead listed in this module, as they also provide with internal hashing, MFAs, 2-factors etc.

[adamblanchard]

Regarding third party auth services, we discussed this a lot recently since we are planning projects in all the courses and considering what trainees could/should use.

Currently, in the project we plan for them to do over the same time as this module, they will be implementing auth themselves. We haven't decided yet, but maybe in their final project (at the end of this course) they have the opportunity to use third party services (we have spoken specifically about firebase).

I think it could be a good idea here to introduce the concept of third party auth services, so they know it is possible and exists and what they help with, but i would say very lightly. More so they recognise e.g what firebase is and does for them on a surface level, and something they can go practice/learn more about themselves.

That's my current take, but open to other ideas.

[magdazelena]

I added a section for explaining this, but without excercises

[YurijPaharev]

If we will be storing tokens in the DB, should we show that they also should be stored in a specific format? Maybe it would be a cool opportunity to show that even tokens should be treated carefully by storing them in simple base64 and perform a token forgery to bypass the route for a specific user (then it will also demonstrate why JWT signed tokes are better format-wise and how 3rd party reduces additional overhead)

[magdazelena]

I'm not sure there will be time for this unless you have something specific in mind. Alternatively we can have maybe a resource linked? They will practice db stored tokens in assignment as there will be no time during the session,

[YurijPaharev]

Do we explain how https is formed in any of the weeks? Do we need to show that there is a certificate signing going on, or do we simply show that TLS-encrypted traffic is good?

[adamblanchard]

We touch on https in foundation:
Preparation under "HTTP and everything you need to know about it"
and in the session plan "HTTPS listen, handle request"

[magdazelena]

I linked that module and link in the preparation for the session

[magdazelena]

@adamblanchard @YurijPaharev @saloumeh-67

Session plan

I went through the session plan again and I reckon we could live it as current state, meaning:

• basic password auth - strong focus here, adding section on password breaking by @YurijPaharev
• JWT - strong focus here
• session - quicker to explain, it works out of the box (basically) - adding section on token forgery by @YurijPaharev for strong finish
• Third-party (explained)
• Database token and API keys briefly explained
• Comparison and IRL-examples discussion

Prep

Extending the preparation section with readings:

• hashing
• encrypting
• cookies/sessions shenanigans
• jwt in detail
• https reminder
• auth vs autorisation

Assignment

Extending the assignment with:

• database token authentication - opportunity here to add stuff around token storage and security if you have good ideas @YurijPaharev
• API key auth
• autorisation - yes, they have to "figure it out" but that is good

Final notes

It is a tough balance between security shenanigans and plethora of options. In my opinion we need to cover plenty of options in preparation for job market (and job interviews - for example assignment last excercise). In the same time I agree it is good to show consequences of "bad security" with a bang like Yurii suggests. It will also serve as a good cold water bucket, but I wouldn't go too deep during the session, but leave as much resources here as possible. As we talked about, I'd leave it to the mentor running the session to choose the balance they feel comfortable with in terms of going into details, but the general learning goals I'd leave as is to cover as much ground as possible and let the trainees explore on their own after.