Authenticationis the process of verifying who a user is.
Authorizationis the process of verifying what they have access to.
Here's an example to illustrate this:
Imagine you have booked a hotel room. When you get to the checkout you are asked for you driving license to prove who you are - this is authentication.
Once authentication is complete, you are given a key card which gives you entry to your room - this is authorization as you are being granted access to a resource (in this case your room). You are not authorised to access any other rooms.
In RESTful APIs, a failure to authenticate results in a 403 (Forbidden) HTTP status code. A failure to authorise results in a 401 (Unauthorized) HTTP status code.
Which of the following are examples of authentication and which are examples of authorization?:
When we create APIs we need to consider how we will secure access to them. One way is to require a username and password before granting access, this is known as Basic Authentication.
Basic authentication is a simple authentication scheme that is built into the HTTP protocol. The client sends an HTTP request with an Authorization header that contains the word Basic followed by a space and a base64-encoded string username:password
Here is an example:
Authorization: Basic ZnJlZC5mbGludHN0b25lQHdoaXRlaGF0Lm9yZy51azpteXBhc3N3MHJk
That long string of numbers and letters after the word "Basic" is a Base64 encoded string. You can encode and decode Base64 strings in your browser console using a pair of functions called atob and btoa.
Try to decode the user name and password passed into the Authorization header above.
Can you see any issues with passing Base64 encoded user names/password over HTTP? How could you address these issues?
When the application server receives the Authentication header, it needs to decode it and validate the credentials match those stored.
This logic is typically performed in a "middleware" interceptor prior to the request being processed. Middleware interceptors are used for many different use cases including security, logging and error handling - they allow us to implement non-functional requirements centrally, independent of the request processing logic.
Using your specific language framework, secure your Messaging API with Basic Authentication, validating the incoming username and password against hashed credentials created in the previous lesson.
Create Postman tests to validate each API endpoint works correctly.
Commit your code to GitHub and notify your coach that this assignment is complete.
Call the GET /messages API from your browser. Now call it again. Why does the browser only prompt you for your username/password on the first call?