Authentication & Authorization

You will learn how to give permission to users or restrict access to specific users.

Brian Long
Senior Developer

Authentication: Who is Who?

Think of authentication like showing your ID at the door of a government building. The security guard doesn't let just anyone walk in. they need to know who you are first. Your ID (like a drivers license) proves that youʼre really you. In the digital world, authentication works pretty much the same way. When you want to get into your favorite app or website, letʼs say Instagram or your email, you need to prove that you are the person who should be able to access it.

Registration

Imagine you’re at a new café that just opened up in your neighborhood. Before you can order your favorite latte, you need to sign up for their loyalty program (because, hello, free coffee after ten visits!). You fill out a form with your name, email, and maybe a password, and now you’re officially part of the café’s community. That’s exactly what Register does online—it’s where you create a new account by providing your details (usually a username, email, and password) so that the website or app knows who you are next time you visit.

Login

Now that you’re part of the café’s loyalty program, every time you visit, you tell the barista your name so they can pull up your account and give you those sweet rewards points. Online, this is what Login is for. You enter your credentials (like your username/email and password), and the site confirms your identity, letting you access your account and all your saved stuff (like preferences, orders, etc.). It’s basically like saying, “Hey, it’s me again!” when you walk into your favorite shop.

Logout

Okay, so you’ve enjoyed your time at the café, but now it’s time to leave. Before you go, you might say goodbye to the barista. In the online world, Logout is the equivalent of that goodbye. It’s how you tell the site, “I’m done here, signing off,” and the site forgets who you are until the next time you log back in. This is important for security—so nobody else can come along and mess with your account after you leave.

Why Is This Important?

Think about it: you wouldn’t want just anyone to be able to read your messages or post pictures on your social media. Authentication is like a security guard for your digital life. It makes sure that only you can access your personal stuff.

But here’s the thing: if someone else somehow gets hold of your credentials (like if they peeked over your shoulder while you were typing your password), they could pretend to be you. That’s why it’s super important to keep your passwords safe and use strong, hard-to-guess ones.

What If You Forget Your Credentials?

We’ve all been there—you’re trying to log in, but suddenly you blank on your password. No worries! Most apps and websites have a “Forgot Password” option. It’s like telling the bouncer, “Hey, I left my ID at home, but here’s something else to prove it’s really me.” The app might ask for something else, like your email or answer to a security question, to make sure it’s really you before letting you reset your password.

Different Types of Authentication

Now, passwords are the most common way to authenticate, but there are other methods too. You might have heard of:

• Two-Factor Authentication (2FA): This is like showing your ID and then getting a text on your phone with a secret code. You need both to get in—so even if someone has your password, they can’t log in without your phone.

• Biometric Authentication: This uses something unique to you—like your fingerprint or face scan. It’s like having a super personal ID that only you can use.

Why It’s Getting More Important

As our lives get more digital—think banking, shopping, and even healthcare online—authentication becomes more important. It’s the first line of defense in keeping your personal info safe from people who shouldn’t have it.

So next time you log in, give a little nod to that authentication process—it's quietly working to keep your digital world secure.

Putting It All Together

• Authentication is all about proving you’re who you say you are before you get access to your stuff. It’s like showing your ID to the security guard before getting into a secure area, but in the digital world, your ID is your username and password. Keeping those credentials safe is key because they’re the gatekeepers to your digital life.
• Register: Signing up for the café’s loyalty program. You’re creating your account from scratch.
• Login: Saying, “Hey, it’s me!” when you walk into the café, so they know who you are.
• Logout: Waving goodbye as you leave, ensuring no one else can pretend to be you while you’re away.

These routes—Register, Login, and Logout—are the basics of how you interact with any online service that requires an account. They’re all about making sure that you can safely and easily access your stuff whenever you need to, and keep it secure when you’re not around.

Example

user = {
    "username":"tutorialdoctor",
    "password":"password",
    "authenticated": False
}

if user['password'] == 'password' and user['username'] == 'tutorialdoctor':
    user['authenticated'] = True

Flask Example

Here is a code snippet of authentication in a Flask app.

# AUTHENTICATION
@app.route("/login", methods=["POST","GET"])
def login():
  if request.method == 'GET':
    return render_template("auth/login.html",value=[1,2])
  email = request.form['email']
  password = request.form['password']
  user = User.query.filter_by(email=email,password=password).first()
  if not user:
    return render_template("auth/login.html",message="Invalid User"), 404
  else:
    if request.form['password'] != user.password:
      return render_template("login.html",message="Invalid Password")
    else:
      login_user(user)
      return redirect(url_for('index'))

@app.route("/register", methods=["POST","GET"])
def register():
  if request.method == 'GET':
    return render_template("auth/register.html",value=[1,2])
  email = request.form['email']
  password = request.form['password']
  user = User.query.filter_by(email=email).first()
  if not user:
    new_user = User(email=email,password=password)
    db.session.add(new_user)
    db.session.commit()
    login_user(new_user)
    return redirect(url_for('home'))
  else:
    return render_template("auth/register.html",message="User already exists")

@app.route('/logout')
@login_required
def logout():
  logout_user()
  return render_template("auth/login.html")

Authorization: Who Gets to Do What

Alright, let's talk about authorization.

Imagine you're at a really cool party. There’s a VIP section with the best snacks and comfy seats, but not everyone can go in there. To get in, you need a special wristband that shows you’re allowed to enter that area. Now, think of authorization as that wristband—it’s what determines what you’re allowed to do or where you can go.

What Is Authorization?

Authorization is all about permissions. It’s the process that checks what you’re allowed to do after you’ve logged into an app or website. Just because you’ve got through the door (you logged in), doesn’t mean you can do everything. Maybe you can look around, but you can't touch certain things, or maybe you can only edit your stuff, not anyone else’s. Authorization decides all that.

Why Does It Matter?

Let’s say you’re using a website like Facebook. You can post on your own timeline, but you can’t just post on someone else’s timeline without their permission. That’s authorization at work. It makes sure that only you can do certain things with your account, while others can only see or interact in specific ways.

How Does It Work?

When you log in to a site, the system knows who you are (thanks to authentication), but then it checks what you’re allowed to do—like can you edit profiles, delete comments, or access certain pages? The site looks at your role or permissions and says, "Yep, you can do that," or "Nope, you’re not allowed to do that."

Example Time!

• Basic User: Can read articles, leave comments, but not delete them.
• Moderator: Can read articles, leave comments, and delete inappropriate comments.
• Admin: Can do everything a basic user and moderator can do, plus change site settings.

So, if you’re a basic user, and you try to delete a comment, the system will stop you because you don’t have the right authorization. But if you’re a moderator, you can go ahead and remove it.

In summary, Authorization is like the party’s wristband system. It checks what you can do once you’re inside. Just because you’re at the party (logged in), doesn’t mean you can go everywhere or do everything. The wristband (authorization) decides what areas or actions are open to you.

So next time you’re navigating around an app or site, remember—what you can or can’t do is all about what permissions you’ve got, thanks to authorization!

from uuid import uuid4

user = {
    "username":"tutorialdoctor",
    "password":"password",
    "authenticated":False,
    "role": 'admin',
    "access_token": ''
}

if user['role'] == 'admin':
    user['access_token'] = uuid4() 

if user['access_token'] != '':
    user['granted_access'] =  True

print(user)

Summary

Authorization, along with authentication, forms the backbone of a secure web application. It involves checking whether a user can perform specific actions or access certain resources after verifying their identity. Implementing these processes correctly ensures that your application remains secure and that user data is protected.

Resources

• JWT