DEV Community: Adewunmi Oladele The latest articles on DEV Community by Adewunmi Oladele (@adewunmioladele). https://dev.to/adewunmioladele https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1698068%2F5ef4c580-5004-440a-8cf0-faf0487bf521.png DEV Community: Adewunmi Oladele https://dev.to/adewunmioladele en Building a Scalable Authentication System: My Journey and Insights Adewunmi Oladele Fri, 28 Jun 2024 08:44:10 +0000 https://dev.to/adewunmioladele/building-a-scalable-authentication-system-my-journey-and-insights-131k https://dev.to/adewunmioladele/building-a-scalable-authentication-system-my-journey-and-insights-131k <p>Authentication is a fundamental aspect of backend development, ensuring that users can securely access their accounts. In this blog, I’ll share my experience building a scalable authentication system and the challenges I overcame. This journey is part of my adventure with the HNG Internship, a program that I am excited to be a part of.</p> <h3> The Problem </h3> <p>In a recent project, I needed to develop an authentication system that could handle a large number of users and provide secure, reliable access. The system had to support multiple authentication methods, including username/password, OAuth, and two-factor authentication (2FA).</p> <h3> Step-by-Step Solution </h3> <h4> Step 1: Choosing the Right Technology Stack </h4> <p>The first step was to select the appropriate technology stack. I chose Node.js for its scalability and Express.js for building the RESTful API. For the database, I used MongoDB, which offered flexibility and scalability for storing user data.</p> <h4> Step 2: Implementing User Registration and Authentication </h4> <p>I started by implementing the user registration and authentication endpoints. I used bcrypt for hashing passwords and JWT (JSON Web Tokens) for generating and validating authentication tokens. This ensured secure handling of user credentials.</p> <p><strong>User Registration Code Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bcrypt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./models/User</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Mongoose User model</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/register</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newUser</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">User</span><span class="p">({</span> <span class="nx">username</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashedPassword</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">newUser</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">User registered successfully</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error registering user</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">username</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isPasswordValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isPasswordValid</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid password</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">your_jwt_secret</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">token</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Error logging in</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Server running on port 3000</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h4> Step 3: Integrating OAuth </h4> <p>To support social logins, I integrated OAuth using Passport.js. This allowed users to log in using their Google, Facebook, or GitHub accounts. Passport.js provided a straightforward way to handle OAuth authentication flows.</p> <p><strong>OAuth Integration Code Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">passport</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">passport</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">GoogleStrategy</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">passport-google-oauth20</span><span class="dl">'</span><span class="p">).</span><span class="nx">Strategy</span><span class="p">;</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="k">new</span> <span class="nc">GoogleStrategy</span><span class="p">({</span> <span class="na">clientID</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_GOOGLE_CLIENT_ID</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_GOOGLE_CLIENT_SECRET</span><span class="dl">'</span><span class="p">,</span> <span class="na">callbackURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/auth/google/callback</span><span class="dl">'</span> <span class="p">},</span> <span class="p">(</span><span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">profile</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOrCreate</span><span class="p">({</span> <span class="na">googleId</span><span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">user</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">user</span><span class="p">);</span> <span class="p">});</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/google</span><span class="dl">'</span><span class="p">,</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="dl">'</span><span class="s1">google</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">scope</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">profile</span><span class="dl">'</span><span class="p">]</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/auth/google/callback</span><span class="dl">'</span><span class="p">,</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="dl">'</span><span class="s1">google</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">failureRedirect</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <h4> Step 4: Adding Two-Factor Authentication </h4> <p>To enhance security, I added two-factor authentication (2FA) using the TOTP (Time-Based One-Time Password) algorithm. I implemented this with the help of the speakeasy library, which generated and validated TOTP codes. This added an extra layer of security for users.</p> <p><strong>2FA Code Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">speakeasy</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">speakeasy</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">qrcode</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">qrcode</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/2fa/setup</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">speakeasy</span><span class="p">.</span><span class="nf">generateSecret</span><span class="p">({</span> <span class="na">length</span><span class="p">:</span> <span class="mi">20</span> <span class="p">});</span> <span class="nx">qrcode</span><span class="p">.</span><span class="nf">toDataURL</span><span class="p">(</span><span class="nx">secret</span><span class="p">.</span><span class="nx">otpauth_url</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">data_url</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">secret</span><span class="p">.</span><span class="nx">base32</span><span class="p">,</span> <span class="na">qrCode</span><span class="p">:</span> <span class="nx">data_url</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/2fa/verify</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">secret</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">verified</span> <span class="o">=</span> <span class="nx">speakeasy</span><span class="p">.</span><span class="nx">totp</span><span class="p">.</span><span class="nf">verify</span><span class="p">({</span> <span class="nx">secret</span><span class="p">,</span> <span class="na">encoding</span><span class="p">:</span> <span class="dl">'</span><span class="s1">base32</span><span class="dl">'</span><span class="p">,</span> <span class="nx">token</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">verified</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">2FA token is valid</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">2FA token is invalid</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h4> Step 5: Ensuring Scalability and Performance </h4> <p>To ensure the authentication system could handle high traffic, I implemented rate limiting and caching. I used Redis for caching authentication tokens and rate limiting to prevent brute-force attacks. This helped maintain performance and security under heavy load.</p> <p><strong>Rate Limiting and Caching Code Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">RedisStore</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">rate-limit-redis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">redis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">createClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">client</span><span class="p">,</span> <span class="p">}),</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// limit each IP to 100 requests per windowMs</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests, please try again later.</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">limiter</span><span class="p">);</span> </code></pre> </div> <h3> The Result </h3> <p>The authentication system was robust, scalable, and secure. It handled a large number of users efficiently and provided multiple authentication methods, enhancing the overall user experience.</p> <h3> Why HNG Internship? </h3> <p>The HNG Internship offers a fantastic opportunity to work on challenging projects, learn from industry experts, and collaborate with talented developers. This experience is invaluable for anyone looking to advance their career in backend development. Learn more about the HNG Internship on their <a href="https://hng.tech/internship">official website</a> and see how they <a href="https://hng.tech/hire">hire talented developers</a>.</p> <h3> Conclusion </h3> <p>Building a scalable authentication system is crucial for any application. My journey with the HNG Internship has just begun, and I am excited about the opportunities and challenges ahead. Thank you for reading, and I hope my experience helps you in your own authentication system projects.</p> beginners programming career learning