Roster API
In this chapter, we will build another API server. This one will offer CRUD operations to manage a classroom roster. Moreover, we perform simple authentication and authorization.
Please note that "authentication" is the process of verifying a user's identity. It answers the question, "Is this client who they claim to be?"
On the other hand, "authorization" ensures the authenticated user only has access to resources permitted by their role (or access privileges). Therefore, it answers the question, "What is this authenticated client allowed to do?"
Managing user authentication and authorization is a challenging responsibility. Getting it wrong can compromise a lot more than unauthorized access to your app. In this chapter, we will explore these subjects at a rudimentary level. First, We will learn some standard practices, such as hashing passwords. Then, we will explore token-based authentication. Of course, there is much more to be said and done on these subjects. In general, it is best if you do not implement your authentication/authorization from scratch! Instead, make use of libraries, frameworks, and other programs or providers to fulfill this need.
Aside: I recommend skimming over Authentication and Authorization with JWTs in Express.js by Janith Kasun.
The source code for this chapter is available here.