The Complete Flow

  1. Registration: User provides credentials → bcrypt hashes password → user stored in database with hashed password.
  2. Login: User provides email/password → bcrypt verifies against stored hash → JWT token generated with user ID and expiry.
  3. Protected requests: Client sends JWT in Authorisation header → middleware verifies token signature and expiry → user ID extracted for route access control.

Two-Level Security Model

Our authentication system implements both authentication (who are you?) and authorisation (what can you do?):

  • Authentication: JWT middleware verifies the user’s identity through valid tokens.
  • Authorisation: Route-level checks ensure users can only access their own data.
Tags: