03-frontend

Authentication

03-frontend/authentication

Authentication

Overview

Authentication proves who the user is and determines how the app should establish trust.


Why It Matters

Auth failures break access, create support load, and can expose sensitive flows to the wrong users.


Core Concepts

  • Authentication is identity proof.
  • Authorization is permission to do something.
  • Sessions, tokens, cookies, and middleware each solve different parts of the flow.

Mental Models

Trace the full login path, including redirects, persistence, expiration, and refresh.


Best Practices

  • Keep auth state centralized.
  • Handle expired sessions gracefully.
  • Test protected and public routes.

Common Mistakes

  • Confusing auth with permissions.
  • Storing sensitive tokens carelessly.
  • Forgetting server and client boundary effects.

Trade-offs

Cookie-based sessions simplify some flows, while token-based systems can be better for certain APIs and clients.


Decision Framework

FlowCheck
Sign inCredentials, redirect, session creation
Protected pageAuth check and redirect behavior
Expired sessionRefresh or re-auth path

Examples

  • Fix a redirect loop in middleware by checking the session source used by both server and client.
  • Redirect unauthenticated users before rendering protected data.

Checklists

  • Does sign-in land on the right page?
  • Are expired sessions handled cleanly?
  • Are protected routes blocked at the right layer?

Senior Engineer Notes

Senior engineers treat auth as a system flow, not a single login component. Small inconsistencies across layers become user-facing bugs quickly.


Further Reading