QuickNote API [III]
The QuickNote App was designed originally to rely on each client's browser's local storage for persistence. In the last chapter, however, we used a database to provide persistence through a unified API. Suppose multiple clients use the app for note-taking. In that case, we must associate notes with clients and ensure a client is authenticated and authorized to use the app.
In this chapter, we add user registration and authentication to QuickNote API. We leave authorization to the next chapter. Please note that "authentication" is the process of verifying a user's identity. It answers the question, "Is this client who they claim to be?" On the other hand, "authorization" ensures the authenticated user only has access to resources permitted by their role (or access privileges). Therefore, it answers the question, "What is this authenticated client allowed to do?"
Managing user authentication and authorization is a challenging responsibility. Getting it wrong can compromise a lot more than unauthorized access to your app. In this and the next chapter, we will explore these subjects at a rudimentary level. First, we will learn some standard practices, such as hashing passwords. Then we will explore token-based authentication. Of course, there is much more to be said and done on these subjects. In general, it is best if you do not implement your authentication/authorization from scratch! Instead, make use of libraries, frameworks, and other programs or providers to fulfill this need.