Authentication and Authorization in JavaScript

What is Authentication?

Think of Authentication as a process that verifies who you are—whether you’re a user or a device—before giving access to protected resources.

In simple terms, authentication asks: Who are you?

It’s important to note that Authentication is a visible process. This means the client is aware that they’re being authenticated (e.g., through login forms, tokens, or OTPs).

Authorization, on the other hand, is handled more silently behind the scenes.

---

Authentication Types

1. Single-Factor Authentication (SFA)

   Requires only one credential to verify identity. The most common example is a password-based login. It's simple, but if your password is compromised, you're exposed.

2. Two-Factor Authentication (2FA)

   Requires two layers of verification, usually something you know (a password) and something you have (an OTP sent to your phone or email).

3. Multi-Factor Authentication (MFA)

   Requires two or more verification factors from different categories:

   • Something you know: Password, PIN
   • Something you have: Smartphone, Authenticator app, Security token
   • Something you are: Fingerprint, Face recognition

4. Biometric Authentication

   Uses biological characteristics for identity verification, such as fingerprint scanning, facial recognition, or an iris scan.

---

Why is Authentication Needed?

Authentication ensures that only legitimate users can access sensitive data or features.

If you're not authenticated, your access will be restricted to public areas of the application, which helps prevent security vulnerabilities.

---

What is Authorization?

Authorization is the process of determining what you’re allowed to do after you’ve been authenticated.

In other words, once the system knows who you are, authorization answers: What can you access or perform?

For example:

• A regular user might be able to view and edit only their profile.
• An admin might be able to create, edit, or delete users, and manage system settings.

Authorization typically happens behind the scenes—it is enforced through roles, permissions, or policies at the backend or through middleware.

---

Common Authorization Models

1. Role-Based Access Control (RBAC)

   Permissions are tied to roles (e.g., Admin, Editor, Viewer). Users are assigned roles, and their access is determined by those roles.

2. Attribute-Based Access Control (ABAC)

   Access is determined by attributes (user attributes, resource attributes, and environment conditions). Example: only allow access to a file if the user is in the "Finance" department and accessing it during office hours.

3. Policy-Based Access Control (PBAC)

   Uses rules and policies to grant or deny access. Example: "Users can only delete their own posts."