Authorisation and Obfuscation

Authorisation is like role management suppose in you have blogging system. In that you have 2 role or 2 user, Admin User and normal user. Normal User can only read blogs add comment or a like and Admin User can Edit blog. for that we need to check User is Admin or Normal while Login ya right let check how we can do that in better way.

Authentication is the process of recognizing a user’s identity. means we are not checking what kind of privilege user contain. Authorisation means what kind of privilege or permission user have. in Example login is checking Authentication and in particular feature is checking Authorisation.

Different frameworks have differing conventions for when and where to check for proper access. Some frameworks have filters or voters, but most have middleware. In most systems, you may simply use the constructors of your controllers. In Express, middleware is recommended. The following is a hypothetical example. Your exact implementation will vary.

Check User Authentication

Check Authorisation

Check Admin User or Normal User

let’s check for all blogs feature like edit, delete and other.

routes and which user can perform particular task
editor User

Obfuscation

Obfuscation is not like Encyption But it is like hard to understand. let understand with example suppose A company which provide a time slot booking service which help to it’s customer but it is not same for all company like company want’s different time slots also company has different different timing so need different different setting for all company and storing that setting with company Id and in this case we can not use Authentication because end user of our company’s customer is new for that book slot and our customer also not know who are booking service. in this case we are using company Id in numeric then any user can change customer Id and see other company’s setting so, we can do like convert that number to string so that user can not understand clearly that what is other company Id’s string.

here we are taking our previous example.

normal case

You could do:

with obfuscation

In this example, the hashids.decode() call is simply taking some preexisting security hash from your server and applying it against the passed hash to determine the ID. This can also be called in reverse to generate a hash. Here’s a demo of both operations:

in this case user can use this module for decode and encode. you can also create your logic and do something same as it without node module.

Continue to CSRF issue, Race Condition and Update package …

Developer , Pentester