User Registration Workflow

[00:00:00]
>> Speaker 1: User Sign-Up with Password When we sign up a user, we'll eventually cover identification and authentication, which are two of the three things we discussed earlier (authentication, authorization, and identification)

[00:00:00]
We won't cover authorization explicitly, but you'll see some small authorization-type elements in the controllers What is the sign-up strategy It's pretty simple Sign-up fundamentally means first validating user input

[00:00:00]
We know what valid input is because we have a database schema that defines requirements Some fields are required and cannot be null, some have defaults, and some are absolutely mandatory for creating a new user

[00:00:00]
The flow is to validate input, then check that unique elements are not already taken Ideally, this should be handled automatically by database unique constraints You do not want to write a query to manually check if an email exists - that would be inefficient

[00:00:00]
Imagine checking 100 million users every time someone signs up - you'd likely get fired for such an approach We instead use a unique index We need to hash passwords, not store them in plain text

[00:00:00]
We'll discuss why storing passwords in plain text is a bad idea After creating the user in the database, we'll generate a JSON Web Token - essentially their API access key Optionally, this is where you might send a confirmation email, though we won't implement that here

[00:00:00]
Our approach auto-logs the user in by generating a token immediately Some apps force users to sign in again after signing up, which creates a terrible user experience We want to streamline this process

[00:00:00]
Why hash passwords Hashing obfuscates the password so that even engineers can't see the original value This protects against potential data breaches, which have unfortunately become common in our digital society

[00:00:00]
We'll use bcrypt, which involves several key steps: 1 Take the password 2 Generate a random salt 3 Combine the password with the salt 4 Apply an encryption algorithm (like blowfish) 5 Repeat the hashing process multiple times (typically 10-12 rounds) The goal is to create a strong, reproducible hash that's computationally difficult to reverse but consistent when using the same inputs

[00:00:00]
The resulting hash includes information about the algorithm and number of encryption rounds This approach ensures password security while maintaining the ability to verify user credentials during sign-in.