Authentication vs Authorization in Express Security
Learning Objectives
- By the end of this session, students will:
- Understand the difference between Authentication (AuthN) and Authorization (AuthZ).
- Know why both are critical for secure applications.
- Implement Authentication in Express using JWT.
- Implement Role-based Authorization middleware.
- Secure routes based on user roles.
Let first understand what is Authentication and What is Authorization:
Authentication:
Authentication is the process of confirming a user’s identity to ensure they are truly the person they claim to be. This is usually done by validating credentials, such as a username and password, before granting access.
Authentication means proving who you are before you can use a system. Just like when you log in to Gmail or Facebook, you enter your email/username and password. The system checks these details and confirms that you are really the account owner.
👉 Think of it like showing your ID card at the entrance of a building. If the ID matches, you’re allowed inside.
It ensures the system knows who the requester is.
Authentication Goal: Confirm that the credentials presented (e.g., username/password, token, certificate) match a known identity.
Authentication Methods:
- Password-based → username + password checked against a database (often hashed & salted).
- Token-based → bearer tokens (JWT, OAuth2 access tokens).
- Certificate-based → mutual TLS, X.509 certificates.
- Multi-Factor Authentication (MFA) → combining something you know (password), something you have (phone/OTP), and something you are (biometrics).
- Mechanism: On successful authentication, the system issues a security context (e.g., cookie, token, claims principal) that represents the identity during the session.
Authorization:
Authorization decides what you are allowed to do after you have logged in. Once your identity is confirmed (authentication), the system checks your permissions or roles to determine what features you can access.
👉 Example: In a school portal, both students and teachers log in. After login, a student can only see their own grades, while a teacher can upload marks for many students.
Once authentication confirms who the user is, authorization enforces what the user can do within the system.
- Scope: Defines access to resources, APIs, endpoints, or operations.
- Implementation: Often role-based (RBAC), claim-based, or policy-based.
- Mechanism: Achieved by associating users with roles/claims and enforcing them via middleware, policies, or access control lists (ACLs).
👉 In short, authentication answers “Who are you?”, while authorization answers “What can you access?”
First of all we will learn how basic authentication works.
Basic authentication using Session + Cookies (Traditional Web Auth).
Session+Cookies is a most common approach for authentication and it works like this:
- User logs in with username/password.
- Server verifies credentials and creates a session (usually stored in memory, Redis, or database).
- Server sends back a session ID inside a cookie.
- On every request, the browser automatically sends that cookie.
- Server looks up the session to identify the user.
Here is an example code which demonstate how basic authorization work:
Step 1: Create a file server.js
const express = require("express");
const session = require("express-session");
const app = express();
app.use(express.json());
app.use(session({
secret: "mySecretKey",
resave: false,
saveUninitialized: true,
cookie: { secure: false } // true if HTTPS
}));
// Fake login
app.post("/login", (req, res) => {
const { username } = req.body;
// Normally check password from DB
req.session.user = { username };
res.send("User logged in!");
});
// Protected route
app.get("/profile", (req, res) => {
if (req.session.user) {
res.send(`Welcome ${req.session.user.username}`);
} else {
res.status(401).send("Not logged in");
}
});
app.listen(3000, () => console.log("Server running on port 3000"));
Testing
Run this program
node server.js
Using postman hit the url http://localhost:3000/login.
Pass username in body as JSON object.
{
"username":"yourname"
}
You will get output on Postman as "User Logged in!" under body.
And you can also see the cookie is created under Cookies(1) section.
Now hit the url http://localhost:3000/profile.
You will get a welcome message. 