DEV Community

Cover image for Authentication and  Authorization using AccessTokens - RefreshTokens | Part 1
Manish Kumar Sahu
Manish Kumar Sahu

Posted on • Updated on

Authentication and Authorization using AccessTokens - RefreshTokens | Part 1

Authentication VS Authorization

Many people mismatch these terms, but they are two different things.


This is a process of validating the user that sends the request to the server is the same as the one that logged in. This is generally done by checking the password, OTP, biometrics, etc.


This is a process of giving permission and access to a specific resource or function. This is generally done by using tokens sent from auth server to the client.

I will be using MERN (MongoDB, Express, React, NodeJS) stack to show the implementation of authentication and authorization


So, the first step of authentication is to encrypt the the user credentials or resources which are very much private and important, like passwords.

Let's say we have a userSchema using mongoose.
We cannot just store plain passwords in the database, so for hashing, we can use crypto. It is an inbuilt module that comes with nodeJS.

  • First of all, we made two methods
    1. To authenticate or check if the password is correct or not.
    2. To hash the password.
  • Then we made a virtual schema to take the plain password and encrypt it using the securePassword method we made and store to store it in database.
  • After that, we can import the authenticate method to /signin route to check for the password that user passed.
const mongoose = require("mongoose");
const { createHmac } = require("crypto");

const userSchema = mongoose.Schema(
    name: {
      type: String,
      required: true,
    email: {
      type: String,
      required: true,
      unique: true,
    encrypted_password: {
      type: String,
      required: true,
  { timeStamps: true }

  .set(function (password) {
    this._password = password;
    this.encrypted_password = this.securePassword(password);
  .get(function () {
    return _password;

userSchema.methods = {
  securePassword: function (plainPassword) {
    if (!plainPassword) {
    try {
      const secret = "anySecretYouWant";
      return createHmac("sha256", secret).update(plainPassword).digest("hex");
    } catch (error) {
  authenticate: function (plainPassword) {
    return this.encrypted_password === this.securePassword(plainPassword);

module.exports = mongoose.model("User", userSchema);
Enter fullscreen mode Exit fullscreen mode
  • So basically all the passwords of the user will be stored in a hashed or encrypted format so that none of us can read it and use it directly. It is done by passing a salt (any random long string ) to mix the characters in the password.
  • To decrypt those passwords, we need only that particular salt string.
  • As salt strings can decrypt the passwords, hence it is stored in Node environment files (.env files).

Now the user is authenticated, next move on to authorization part.

cover image :

Top comments (0)