Various ways of User Authentication you can use in your web app

It’s very important to understand the various ways of user authentication you can add to your app.

We have various ways to do this and here I’ll be discussing the following(in the order of the least secure to most secure):

Simple email & password , encrypted password , hashing with md5

Then in the next blog I’ll be discussing the next 3:

hashing with salting, cookies & sessions, google OAuth 2.0 authentication

Note that here I’ll be using Express.js & MongoDB to show the ways . Let us start with the first one

First create a Schema of the user

const userSchema = ({  email: String,  password: String});

Now creating the model of the schema

const User = new mongoose.model("User", userSchema);

Now making an instance of the model

const newUser =  new User({ email: req.body.username,   
password: req.body.password });

Remember, here username and password are two input fields which user will enter on your login/sign up page

When finding the user who entered his/her email and password

User.findOne({email: username}, function(err, foundUser){   
if (err)
console.log(err);
else
{
if (foundUser) {
if (foundUser.password === password)
res.render("Page for authorized users");
}
} );

This was the simplest and the worst authentication you can have since you are storing your customers passowords in a string as it is . The database is storing the passwords of the customers as it is and can be very dangerous since the people having access to the database can easily see the passwords.So, let us now use the second method which encrypts the password

We’ll be using “mongoose-encryption” for this

const encrypt = require("mongoose-encryption");const userSchema = new mongoose.Schema ({  email: String,  password: String});const secret_KEY = "Any secret key";
userSchema.plugin(encrypt, { secret: secret_KEY, encryptedFields: ["password"] });

Here a secret key is kept by the app developer which is used to encrypt user’s passwords using a Cypher method and now the password is not directly stored in the database but as Cyphertext! Now the hackers would be requiring this secret key only then they’ll be able to access the database and decrypt the passwords.

Although this method is better than the first one , still its not very secure since your secret key could easily be hacked/accessed and all your customer’s passwords are leaked !

So now we come to hashing !

In hashing we don't decrypt the password but instead pass the password through a hash function(in this case ‘md5’) and store that encrypted text. When user types the password again to login , we again pass his/her password to the hash function and if the stored password and the typed password match then the user is authorized else not. Beautiful right ?

Let us require md5 and do as before

const md5 = require("md5");
const newUser = new User({
email: req.body.username,
password: md5(req.body.password) });
const username = req.body.username;
const typed_password = md5(req.body.password);
User.findOne({email: username}, function(err, foundUser)
{ if (err)
console.log(err);
else {
if (foundUser) {
if (foundUser.password === typed_password) res.render("Your page for authorized users");
} } });

A full stack developer and a curious person