Skip to main content

Explain how authentication and authorization work in a MERN stack application.

 Let's walk through authentication and authorization in a MERN stack application (MongoDB, Express.js, React, Node.js). These are critical for securing your app and controlling user access.

Explain how authentication and authorization work in a MERN stack application.

πŸ” Authentication vs. Authorization

  • Authentication: Proves who the user is (e.g., logging in).

  • Authorization: Controls what that authenticated user can do (e.g., admin vs. regular user access).

⚙️ How It Works in the MERN Stack

1. React (Frontend)

  • Users enter credentials via a login form.

  • On submit, React sends a POST request to an Express.js backend.

  • If the credentials are valid, the server returns a JWT (JSON Web Token).

  • The JWT is stored client-side (e.g., localStorage, sessionStorage, or httpOnly cookies for better security).

  • For all protected routes, React sends this JWT in the Authorization header of future requests.

2. Express.js + Node.js (Backend)

Login Endpoint

  • Backend receives login credentials.

  • Looks up the user in MongoDB.

  • Compares hashed passwords using bcrypt.

  • If valid, creates a JWT using jsonwebtoken and sends it back.


const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');

app.post('/login', async (req, res) => {
  const user = await User.findOne({ email: req.body.email });
  if (!user) return res.status(401).send("User not found");

  const isMatch = await bcrypt.compare(req.body.password, user.password);
  if (!isMatch) return res.status(401).send("Incorrect password");

  const token = jwt.sign({ id: user._id, role: user.role }, process.env.JWT_SECRET, { expiresIn: '1h' });
  res.json({ token });
});

Middleware to Protect Routes

  • You create a middleware function to validate JWTs and attach user data to req.


const auth = (req, res, next) => {
  const token = req.header('Authorization')?.split(' ')[1];
  if (!token) return res.status(403).send("Access denied");

  try {
    const verified = jwt.verify(token, process.env.JWT_SECRET);
    req.user = verified;
    next();
  } catch {
    res.status(401).send("Invalid token");
  }
};

Protected Route

app.get('/dashboard', auth, (req, res) => {
  res.send(`Welcome user ${req.user.id}`);
});

3. MongoDB (Database)

You store user data like this:

const mongoose = require('mongoose');

const userSchema = new mongoose.Schema({
  email: String,
  password: String, // hashed using bcrypt
  role: { type: String, default: "user" } // for authorization
});

const User = mongoose.model('User', userSchema);

πŸ›‚ Authorization (Role-Based Access)

Add another middleware to check roles:

const checkRole = (role) => (req, res, next) => {
  if (req.user.role !== role) return res.status(403).send("Forbidden");
  next();
};

app.get('/admin', auth, checkRole('admin'), (req, res) => {
  res.send("Welcome, Admin!");
});

Best Practices

  • Always hash passwords before saving (bcrypt is the go-to).

  • Use httpOnly cookies for token storage if security is a concern (helps prevent XSS).

  • Set JWT expiration times and rotate/refresh tokens if needed.

  • Sanitize inputs to prevent injection attacks.

  • Protect all sensitive routes with both authentication and authorization.

Popular posts from this blog

How does BGP prevent routing loops? Explain AS_PATH and loop prevention mechanisms.

 In Border Gateway Protocol (BGP), preventing routing loops is critical — especially because BGP is the inter-domain routing protocol used to connect Autonomous Systems (ASes) on the internet. πŸ”„ How BGP Prevents Routing Loops The main mechanism BGP uses is the AS_PATH attribute . πŸ” What is AS_PATH? AS_PATH is a BGP path attribute that lists the sequence of Autonomous Systems (AS numbers) a route has traversed. Each time a route is advertised across an AS boundary, the local AS number is prepended to the AS_PATH. Example: If AS 65001 → AS 65002 → AS 65003 is the route a prefix has taken, the AS_PATH will look like: makefile AS_PATH: 65003 65002 65001 It’s prepended in reverse order — so the last AS is first . 🚫 Loop Prevention Using AS_PATH ✅ Core Mechanism: BGP routers reject any route advertisement that contains their own AS number in the AS_PATH. πŸ” Why It Works: If a route makes its way back to an AS that’s already in the AS_PATH , that AS kno...
Read more

What’s the impact of BGP full routes on router memory and performance?

Receiving full BGP routes (i.e., the full global BGP routing table) has a significant impact on a router's memory and performance. Here's a breakdown of the key impacts: πŸ”§ 1. Memory Usage (RAM) A full BGP table typically contains ~1 million IPv4 routes and growing (~200k+ IPv6 routes). Each BGP route consumes tens to hundreds of bytes of memory, depending on attributes (AS path, communities, etc.). This translates to hundreds of megabytes to several gigabytes of RAM just for storing the BGP RIB (Routing Information Base). The FIB (Forwarding Information Base) , which is installed into the router's hardware or kernel for actual packet forwarding, also consumes memory (especially in TCAM for hardware routers). ❗ Example A router might require 4–8 GB of RAM (or more) to comfortably handle full BGP routes with headroom for growth and stability. 🧠 2. CPU Utilization High CPU load during: Initial BGP session establishment (parsing all rout...
Read more

Explain the OSPF LSDB (Link State Database) and how SPF (Shortest Path First) algorithm works.

OSPF (Open Shortest Path First) is a link-state routing protocol , and the LSDB (Link-State Database) and SPF (Shortest Path First) algorithm are core to how OSPF calculates the best paths . Let’s break them down. 🧠 What is the OSPF LSDB (Link-State Database)? The LSDB is a map of the entire OSPF network area — each router stores a complete topology of its area. πŸ” Details: Built from LSAs (Link-State Advertisements) exchanged between routers. Contains info about: Routers and their interfaces Network segments Neighbor relationships Each OSPF router maintains an identical LSDB within the same area. ✅ Key Characteristics: Feature Description Scope One LSDB per OSPF area Source Built from received LSAs Consistency All routers in an area have identical LSDBs Purpose Used as input for SPF algorithm to calculate best paths ⚙️ How the SPF Algorithm Works in OSPF OSPF uses Dijkstra’s Shortest Path First (SPF) algorithm to compute the shortest (lowest-cost)...
Read more