Skip to main content

Explain how authentication and authorization work in a MERN stack application.

 Let's walk through authentication and authorization in a MERN stack application (MongoDB, Express.js, React, Node.js). These are critical for securing your app and controlling user access.

Explain how authentication and authorization work in a MERN stack application.

πŸ” Authentication vs. Authorization

  • Authentication: Proves who the user is (e.g., logging in).

  • Authorization: Controls what that authenticated user can do (e.g., admin vs. regular user access).

⚙️ How It Works in the MERN Stack

1. React (Frontend)

  • Users enter credentials via a login form.

  • On submit, React sends a POST request to an Express.js backend.

  • If the credentials are valid, the server returns a JWT (JSON Web Token).

  • The JWT is stored client-side (e.g., localStorage, sessionStorage, or httpOnly cookies for better security).

  • For all protected routes, React sends this JWT in the Authorization header of future requests.

2. Express.js + Node.js (Backend)

Login Endpoint

  • Backend receives login credentials.

  • Looks up the user in MongoDB.

  • Compares hashed passwords using bcrypt.

  • If valid, creates a JWT using jsonwebtoken and sends it back.


const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');

app.post('/login', async (req, res) => {
  const user = await User.findOne({ email: req.body.email });
  if (!user) return res.status(401).send("User not found");

  const isMatch = await bcrypt.compare(req.body.password, user.password);
  if (!isMatch) return res.status(401).send("Incorrect password");

  const token = jwt.sign({ id: user._id, role: user.role }, process.env.JWT_SECRET, { expiresIn: '1h' });
  res.json({ token });
});

Middleware to Protect Routes

  • You create a middleware function to validate JWTs and attach user data to req.


const auth = (req, res, next) => {
  const token = req.header('Authorization')?.split(' ')[1];
  if (!token) return res.status(403).send("Access denied");

  try {
    const verified = jwt.verify(token, process.env.JWT_SECRET);
    req.user = verified;
    next();
  } catch {
    res.status(401).send("Invalid token");
  }
};

Protected Route

app.get('/dashboard', auth, (req, res) => {
  res.send(`Welcome user ${req.user.id}`);
});

3. MongoDB (Database)

You store user data like this:

const mongoose = require('mongoose');

const userSchema = new mongoose.Schema({
  email: String,
  password: String, // hashed using bcrypt
  role: { type: String, default: "user" } // for authorization
});

const User = mongoose.model('User', userSchema);

πŸ›‚ Authorization (Role-Based Access)

Add another middleware to check roles:

const checkRole = (role) => (req, res, next) => {
  if (req.user.role !== role) return res.status(403).send("Forbidden");
  next();
};

app.get('/admin', auth, checkRole('admin'), (req, res) => {
  res.send("Welcome, Admin!");
});

Best Practices

  • Always hash passwords before saving (bcrypt is the go-to).

  • Use httpOnly cookies for token storage if security is a concern (helps prevent XSS).

  • Set JWT expiration times and rotate/refresh tokens if needed.

  • Sanitize inputs to prevent injection attacks.

  • Protect all sensitive routes with both authentication and authorization.

Popular posts from this blog

Explain the Angular compilation process: View Engine vs. Ivy.

 The Angular compilation process transforms your Angular templates and components into efficient JavaScript code that the browser can execute. Over time, Angular has evolved from the View Engine compiler to a newer, more efficient system called Ivy . Here's a breakdown of the differences between View Engine and Ivy , and how each affects the compilation process: πŸ”§ 1. What Is Angular Compilation? Angular templates ( HTML inside components) are not regular HTML—they include Angular-specific syntax like *ngIf , {{ }} interpolation, and custom directives. The compiler translates these templates into JavaScript instructions that render and update the DOM. Angular uses Ahead-of-Time (AOT) or Just-in-Time (JIT) compilation modes: JIT : Compiles in the browser at runtime (used in development). AOT : Compiles at build time into efficient JS (used in production). 🧱 2. View Engine (Legacy Compiler) ➤ Used in Angular versions < 9 πŸ” How It Works: Compiles templat...
Read more

Explain the concept of ControlValueAccessor in custom form components.

 In Angular, the ControlValueAccessor interface is what allows custom form components to work seamlessly with Angular forms (both reactive and template-driven). 🧠 What is ControlValueAccessor ? It’s an Angular bridge between your custom component and the Angular Forms API . When you use a custom form component (like a date picker, dropdown, slider, etc.), Angular doesn't automatically know how to read or write its value. That’s where ControlValueAccessor comes in. It tells Angular: How to write a value to the component How to notify Angular when the component’s value changes How to handle disabled state πŸ“¦ Common Built-in Examples: <input> and <select> already implement ControlValueAccessor You implement it when creating custom form controls πŸ”§ Key Methods in the Interface Method Purpose writeValue(obj: any) Called by Angular to set the value in the component registerOnChange(fn: any) Passes a function to call when the component value ch...
Read more

What are the different types of directives in Angular? Give real-world examples.

In Angular, directives are classes that allow you to manipulate the DOM or component behavior . There are three main types of directives: 🧱 1. Component Directives Technically, components are directives with a template. They control a section of the screen (UI) and encapsulate logi c. ✅ Example: @Component ({ selector : 'app-user-card' , template : `<h2>{{ name }}</h2>` }) export class UserCardComponent { name = 'Alice' ; } πŸ“Œ Real-World Use: A ProductCardComponent showing product details on an e-commerce site. A ChatMessageComponent displaying individual messages in a chat app. ⚙️ 2. Structural Directives These change the DOM layout by adding or removing elements. ✅ Built-in Examples: *ngIf : Conditionally includes a template. *ngFor : Iterates over a list and renders template for each item. *ngSwitch : Switches views based on a condition. πŸ“Œ Real-World Use: < div * ngIf = "user.isLoggedIn...
Read more