Authentication
Overview
Authentication proves who the user is and determines how the app should establish trust.
Why It Matters
Auth failures break access, create support load, and can expose sensitive flows to the wrong users.
Core Concepts
- Authentication is identity proof.
- Authorization is permission to do something.
- Sessions, tokens, cookies, and middleware each solve different parts of the flow.
Mental Models
Trace the full login path, including redirects, persistence, expiration, and refresh.
Best Practices
- Keep auth state centralized.
- Handle expired sessions gracefully.
- Test protected and public routes.
Common Mistakes
- Confusing auth with permissions.
- Storing sensitive tokens carelessly.
- Forgetting server and client boundary effects.
Trade-offs
Cookie-based sessions simplify some flows, while token-based systems can be better for certain APIs and clients.
Decision Framework
| Flow | Check |
|---|---|
| Sign in | Credentials, redirect, session creation |
| Protected page | Auth check and redirect behavior |
| Expired session | Refresh or re-auth path |
Examples
- Fix a redirect loop in middleware by checking the session source used by both server and client.
- Redirect unauthenticated users before rendering protected data.
Checklists
- Does sign-in land on the right page?
- Are expired sessions handled cleanly?
- Are protected routes blocked at the right layer?
Senior Engineer Notes
Senior engineers treat auth as a system flow, not a single login component. Small inconsistencies across layers become user-facing bugs quickly.