Javascript Login and Signup Pages Team Teach

-200 (OK): Returned on successful login or signup.

  • 401 (Unauthorized): Returned when a user enters incorrect login credentials.
  • 403 (Forbidden): Returned when a user tries to access a resource they don’t have permission for.
  • 409 (Conflict): Can be used if a new user is trying to register with an email/username that already exists.
  • Error Handling: Implement proper error handling in Flask to return meaningful error messages and appropriate HTTP status codes.

    Login/signup

  • Ways to be more secure:

    • Token-Based Authentication: Implement token-based authentication, such as JSON Web Tokens (JWT) or OAuth, to securely manage user sessions. Tokens should be generated securely, have a limited lifespan, and be securely stored on the client side.

    • Secure Password Storage: Hash and salt passwords before storing them in the database. Use strong hashing algorithms (e.g., bcrypt) to protect user passwords from being exposed in the event of a data breach.

    • Authentication Rate Limiting: Implement rate limiting to prevent brute-force attacks on login endpoints. This can involve limiting the number of login attempts within a specified time period to mitigate the risk of unauthorized access.

    • Secure User Registration: Implement validation and sanitization checks on user registration inputs to prevent injection attacks. Verify the authenticity of email addresses and usernames during the registration process.

    • Multi-Factor Authentication (MFA): Encourage or require users to enable MFA to add an additional layer of security. This can involve using one-time codes sent via SMS, email, or authenticator apps.

    • Session Management: Implement secure session management practices. Ensure that session tokens are securely stored and transmitted, and consider implementing session timeout and re-authentication mechanisms.

    • Cross-Site Request Forgery (CSRF) Protection: Implement measures to protect against CSRF attacks. Use anti-CSRF tokens and ensure that requests from legitimate users originate from trusted sources.

    • Input Validation and Sanitization: Validate and sanitize all user inputs to prevent injection attacks, such as SQL injection or Cross-Site Scripting (XSS). Use parameterized queries for database interactions.

    • Logging and Monitoring: Implement comprehensive logging for login/signup activities. Monitor and log failed login attempts, unusual patterns, and potential security events to detect and respond to security incidents.

    • API Key Security: If applicable, secure API keys used for authentication and authorization. Ensure that keys are kept confidential, rotated regularly, and that access is restricted to only necessary entities.

    • Regular Security Audits and Updates: Conduct regular security audits of your codebase and dependencies. Stay updated on security best practices and promptly apply patches and updates to address any vulnerabilities. –>

User Profile Lesson

  • Create request used for the addition of new users
  • Post-request displays are user data table
  • Put request implemented to update user information Delete request removes specified users
  • CRUD:

    • Create: POST requests
      • Creates new user with input data
      • Performs error checking
      • Sets up user object -> adds to user database
    • Read: GET requests
      • Handles user retrieval requests
      • Data -> JSON + response
    • Update: PUT/PATCH requests
      • Updates based on user input
      • Commits changes to user database
      • This is done with the PUT request
    • Delete: DELETE requests
      • Handles user delete requests
      • Deletes user from database

JWT roles:

  • JWT Roles: JWT (JSON Web Token) roles are used to define the permissions and access levels of a user or system within an application. These roles are typically encoded within the JWT payload.
  • Single-factor authentication is used when a user provides a username/email/phone number and a password. This is the most common and weakest authentication factor. The user simply inputs the email and password, and the system checks if the data is valid; if valid, the user gets authenticated and can access the resource.
  • Mulit-factor authentication uses more than one factor to authenticate a user. For example, the user tries to log in with an email and password; if the data is correct, a code is sent to the user’s account registered phone number. If the user enters the code, the user will be logged in; otherwise, the user is not authenticated.
  • Authentication verifies identity
  • authorization grants or denies permissions and verifies a user has the correct credentials to execute tasks