Authentication Strategies

[00:00:00]
>> Maximiliano Firtman: So now we have all the navigation and the basic UI part ready, but then we know that we have, at some points, up to fabrics add to watch list, and also we have a section fabrics and watch lists on my account. And actually for that to work, I mean, we could do a client side only list of average, the clients are only list of watch list, but the idea is that that would probably need a cloud user account.

[00:00:27]
So then you can log in in any computer or any device and get your watch list, and for that, we need to work with users, with accounts. We need to register users, we need to login users, so that's a pretty common scenario for for most web apps these days.

[00:00:46]
So the the last huge topic that we have for this course is authentication, so we are going to start doing that, and now we will need to also go back to the server. Because we will need to add more entry points or APIs, we need to talk down to the account, and also we need to deal with passwords, so we will discuss all that stuff.

[00:01:11]
Apart from creating the front end, the login forms, the registration forms, and then we also will need to because it's a single page application. We need to understand how we will keep the session somehow alive, because we are not sending the username and password on every request. I mean, we could, but it's a pretty bad idea.

[00:01:34]
So let's get into that topic. First, our database, if we look at the, we could check in the database if you have any any tool connected to your database. We do have already a structure for this table, we have an ID for users, name, email, password, hashed, we have a hint there about how we are going to store the password.

[00:01:59]
Last login, time created, time confirmed, time deleted, maybe confirm and delete is more for homework, I have some homework for you if, in case you want to continue working on this project. But those are timestamps for now, this is what we have for every account. And then we have user movies that the structure looks like this.

[00:02:21]
We have a user id, a movie id, so that user with that movie, and then relation type can be any from favorite or watch list, so instead of creating two tables, I'm just reusing the same one. Okay, I'm calling that collection and users have two collections, favorites and watchlist, because they have kind of the same behavior, or pretty similar, okay?

[00:02:47]
So it's just that, from a database point of view, so it's not really a big deal. So regarding the logging, in this course we are going to make a classic login, okay? There is an intermediate course that continues this one where we also add passkeys to the login, just for you to know, passkeys are the replacement of passwords that is coming in the web.

[00:03:16]
You have seen this, actually, today I have received a message from WhatsApp, in my WhatsApp account, say, hey, do you wanna use passkeys? Now we have passkeys. And it can use your biometrics, or you can use a USB key, a hardware key, like a Yubicu key or other ways to store keys safely and it reduces a lot of security issues.

[00:03:39]
Okay, that's passkeys. But for now, we're going to make a classic username and password, actually, the username will be the email, that is pretty common these days. Okay, so we have email and password. And in terms of security, the basic security that we are going to implement is that we are not going to store the passwords in plain text.

[00:04:01]
Okay, that's pretty bad, because we, as the owners of the app, we can see everyone's passwords if we do that. And also, if anyone is hacking us in a server, they can steal all our users password, which is pretty bad. So the first step to increase security is to hash the passwords, okay?

[00:04:23]
So we are going to hash the passwords, and hashing the password means that we need to use a library to do that. To hash a password, it's just a cryptography tool that uses math to do some things on the password. It creates a hash, that hash cannot be converted back into the password again, it's a one way hash, as most of the hashes.

[00:04:49]
So quick question for you, if we cannot get the original password again, how do we know if tomorrow the same user is logging in with the same password, how do we know if It's the right password or not? If we don't have the original password, you compare.
>> Student: You hash it the same way, and compare that.

[00:05:07]
>> Maximiliano Firtman: Exactly, we hash it the new password that the user is trying to use again with the same function, and that's important part. When you hash things, the same string will always get you the same output, same input, that you hash same output. So then we can compare outputs, hash strings and see if it's the same or not, that's kind of how this is gonna work, okay?