Code 401: Class 06 - Authentication

Questions

Singleton an object that can only be instantiated one time
How to use singleton pattern with Node modules and classes? use a constructor to build a class for the singleton that will only allow one instance to be created. Before creating, check to see if one already exists, if so use that one. If not, instantiate.
What approach to use in designing an Express-like middleware? use the basic format function myCustomMiddleware(req, res, next){//custom middleware} then use it by calling app.use(myCustomMiddleware

Router Middleware allows the developer to modularize all routes, requests are intercepted by the router middleware and redirected to the correct route module
Dynamic Module Loading conditionally importing an module import('/modules/my-module.js').then((module) => {//do something with module});
Singleton Pattern allowing only one instance of a class to be constructed
CRUD –> REST Method Matches
- GET –> READ
- POST –> CREATE
- PUT –> UPDATE
- DELETE –> DELETE
Mock Testing real dependencies are replaced with objects that simulate the behaviors of the real ones

hashing is a good way to cryptographically store passwords
brute force attach can crack a 16 character strong password in about an hour
hash collision attack, two different inputs that generate the same hash output
Key Stretching offered by PBKDF2 and PCrypt significantly increase the time required for a brute force attack

Basic Access Authentication * method for HTTp to provide user name and password when making a request*

JSON Web Token (JWT) open standard for securely transferring json data between parties
Can be signed with a secret key or a public/private key
Standard JWT has three arts separated by .: Header, Payload, & Signature: xxxxx.yyyyy.zzzzz
- Header contains the type of token and signing algorithm being used (HMAC, SHA256, or RSA)
  - Example: { "alg": "HS256", "typ": "JWT" }
- Payload contains three types of claims: registered, public and private
  - Registered Claims set of predefined recommended interoperable claims: issuer, expiration time, subject and audience
  - Public Claims defined at will by those using JWTs
  - Private Claims custom claims created to share info between parties, neither registered or public claims
  - Example Payload: { "sub": "1234567890", "name": "John Doe", "admin": true }
Do not put secret info in the payload or header unless it is encrypted
To create a HMAC SHA256 signature:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Use jwt.io Debugger to decode, verify, and generate JWTs
Using JWTs
- When ever a client wants to access a restricted resource they should send a JWT in the authorization header in the form of a bearer token: Authorization: Bearer <token>