Week 9: Authentication & Authorisation (w/c: 7th March)

[Jbarget]

Topics to cover:

• Authentication v Authorisation?

Authentication

• Different types of authentication (Basic, 2 factor etc.)
• Cookies/Local/session storage (whats the difference?)
• JWTs (what are they, how do you use them?) dwyl tutorial
• bcrypt (storing passwords)

Authorisation

• setting permissions (who can see what, different levels of user - admin, unauth user, auth user)
• setting scope in a request?
• invalidating a session token

[rub1e]

I'm sure you'll be doing this anyway, but just to reiterate - please document as much as possible - even stuff that doesn't end up making it into the workshop, please make sure it isn't thrown away. I only mention it because you said on gitter that there's no resource from FAC6 to reuse for this week - so we must make sure there is one for FAC7+

[Jbarget]

sure thing

[des-des]

Cool I think you have everything covered there. What was the project last time / are we doing the same?

[Jbarget]

since there wasnt an auth week for us there is no last project as a template. The only time i really ventured into authentication was on the chatroom project (username/password + jwts), that theyre doing this week.

We have free reign on making a project

[des-des]

Wasnt github auth week?

[des-des]

Defo a week where we tried (and failed because it was too much work) to do oauth and jwts ...

[hdrdavies]

Yeah Auth week was with Jack McDonald and involved the github API

[Jbarget]

in terms of a project what about something like a website for an address book where you log in and update/delete/add contacts with a stretch goal of implementing sending a message to that contact (message bird api or twillio). That way we can say focus on getting your auth scheme solid and worry about the functionality if you get that far

[Jbarget]

create an account as well, with admin users who can edit anyones address book & normal users who can only edit their own

[des-des]

@Jbarget What auth stuff would be involved. Would you login via third party (oauth/simpleauth) or save user+password (bcrypt + database + signup flow)

[Jbarget]

that would be up to them, ideally 2 groups on each method. whats your thoughts?

[des-des]

Yeah that would be awesome. In the case where you do oauth that adds the options of then using the api of whatever you have oauthed with (ie github for us). There is SO much here. I almost feel it should be two weeks: 1. oauth + apis; 2. saving passwords with bcrypt and managing user accounts ... :(

[Jbarget]

in terms of too much is there a part you think we should focus on? Maybe show that in the form of prioritising the bullet points above...

[des-des]

AP: db persistence of sessions optional

[des-des]

project proposal:

Description:

Authentication

This week you are learning about authentication.

Project as follows:

1. Get some content on your backend (text, image, video, gif / whatever!)
   1. Do oAuth + get content from API
   2. Allow your users to create their own username and passwords and create an account. Do not save unhashed passwords! Generate content however you want!
2. Serve some of the content you have created/retrieved to unauthenticated users but have some that needs authentication to access.

[des-des]

@sohilpandya. Hey did you guys decide to do authentication this week? Obvs would be cool to update me and @Jbarget on this as we are spending time planning next week as confused about what they are doing it this week.

[mantagen]

@/all this looks pretty sweet as a project. To add to @des-des project proposal (albeit not that substantially), we could suggest which services to do oAuth with - github ? google ?

Also, shall we feed them some good practice guides on some of the above? Good guides aren't cheating etc they're just (hopefully) preventing much much wasted time on poorly written / poorly whatever tutorials

[Jbarget]

@mantagen agree on all fronts,

in terms of oAuth how about we suggest 3 APIs to use from these: Github, Google, Linkedin, Facebook, Twitter

the good practice guides would come from doing a bit of rummaging so if we all have a look and see what we come up with in terms of resources and choose the best ones to pass on?

[des-des]

@mantagen yup agreed. This is more a rough statement of intent and obvs needs fleshing out. @Jbarget :+1:

[Jbarget]

thanks hug1: https://www.youtube.com/watch?v=8ZtInClXe1Q

[Jbarget]

monday workshop based on recreating this plugin: https://github.com/dwyl/hapi-auth-github/tree/master/lib

[Jbarget]

(Provisional) Timetable for Auth Week:

Monday: 10 - 11: oAuth flow diagram (client, server, 3rd party) 9 steps producing access token (Authentication) 11 - 1: Live coding oAuth example 2 - 6: Discussion about how to store access token (cookies, jwt, local/session storage)

Tuesday:

Tutorial Day

Tuesday - Thursday:

Projects

Friday:

10:30 - 12: Code Review 12 - 1: Respond to issues 1 - 2: Lunch/write up stop go continue 2 - 2:45: go through stop go continue 2:45 - 3:15: upstairs project 3:15 - 4: Business Development 4 - 6: Project Presentations

[Jbarget]

Tutorial Day Topics

• Authentication v Authorisation?

Authentication

• Different types of authentication (Basic, 2 factor etc.)
• Cookies/Local/session storage (whats the difference?)
• JWTs (what are they, how do you use them?) dwyl tutorial
• bcrypt (storing passwords)

Authorisation

• setting permissions (who can see what, different levels of user - admin, unauth user, auth user)
• setting scope in a request?
• invalidating a session token

[Jbarget]

Project Schpiel (need to flesh out and give more guidance)

No plugins?

Authentication

This week you are learning about authentication.

Project as follows:

1. Get some content on your backend (text, image, video, gif / whatever!)
   1. Do oAuth + get content from API
   2. Allow your users to create their own username and passwords and create an account. Do not save unhashed passwords! Generate content however you want!
2. Serve some of the content you have created/retrieved to unauthenticated users but have some that needs authentication to access.

Stretch goals?

[des-des]

went through github oauth again .. https://github.com/des-des/oauth-example

[tormod17]

@Jbarget This video (9mins) walk through is good you could possibly show the class this first. Once they've watched it once you can elicit the rest of the stages whilst you walk them through it on the board. https://www.youtube.com/watch?v=rw_zSCbzRRA