DEV Community

Chloe McAteer
Chloe McAteer

Posted on

Transforming Teaching with Teachingo - Update #4

#twiliohackathon #javascript

This is an update on our #TwilioHackathon project progress - you can see the original post here:

chloemcateer3

Transforming Teaching with Teachingo - #TwilioHackathon Submission

Chloe McAteer ・ Apr 6 '20 ・ 4 min read

#twiliohackathon #javascript #node #react

Authentication

Brooklyn Nine Nine, Gina's Face ID!

Because the software is going to be used by schools it needs to be secure - for this we wanted to ensure that not just anyone can access it and join any lesson! We wanted to set up accounts for students and teachers to ensure that only the students that belong to that particular class can access it.

Keeping passwords secure

Of course we didn't want to store the users password directly in the database, because if the passwords where stored in plain text, it would mean that if anyone, either an attacker or a developer carrying out maintenance on the database would be able to see exactly what people have set as their passwords and so the security of the system would be breached.

To overcome this we wanted some way of salting and hashing them. For this we decided to use Bcrypt - due to some previous experience using it.

Brooklyn Nine Nine, Terry's passwords!

As soon as a user creates an account, I use Bcrypt to salt & hash the password and then store the hashed version of the password in the database. Then once a user tries to log in we can use the Bcrypt .compare() function to compare the password the user entered with the hashed version from the database to authenticate them.

Handling User Sessions

As an extra layer of security, to ensure that users have been authenticated to use the applications services, the project creates user session tokens when the user logs in. To facilitate this, we decided to utilise JSON Web Tokens (JWT). Doing so ensures that no one can bypass login and access the services pages by changing the URL or hit the backend API directly.

Once a user successfully logs in, a session token is created for them and this token is sent with each request the user sends. Once the request is being handled, we do a check for two things - one, is the token valid and two, has the token expired. If these checks pass the request is carried out, however if it fails, a 401 error is thrown as the user is not authorised!

profile
Sentry
 Promoted

Sentry blog image

How I fixed 20 seconds of lag for every user in just 20 minutes.

Our AI agent was running 10-20 seconds slower than it should, impacting both our own developers and our early adopters. See how I used Sentry Profiling to fix it in record time.

Read more

Top comments (0)

profile
AWS
 Promoted

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Read next

arindam_1729 profile image

7 Must-Try Open-Source Tools for Python and JavaScript Developers 🚀

Arindam Majumder -

sharathchandark profile image

Build an Advanced Image Editor with HTML, CSS & JavaScript - Filters, Cropping, and More

sharathchandark -

hanzla-baig profile image

🚀⚙️ JavaScript Visualized: the JavaScript Engine

Hanzla Baig -

sharathchandark profile image

Build a Single Page Application (SPA) Using HTML, CSS & JavaScript - No Frameworks Needed

sharathchandark -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay