Implement strong authentication and authorization

Implement Strong Authentication and Authorization

Strong authn and authz prevent unauthorized access to personal data and limit the blast radius when accounts or keys are compromised. Build on proven standards, enforce least privilege, and make every access decision auditable.

Authentication Fundamentals

• Use a standards-based identity layer such as OIDC with OAuth 2.0.

• Store passwords with Argon2id or bcrypt and require email verification.

• Enforce a password policy and prevent credential stuffing with rate limits.

// Node example: Argon2id hashing
import argon2 from "argon2";
const hash = await argon2.hash(password, {
  type: argon2.argon2id,
  memoryCost: 19456,
  timeCost: 2,
  parallelism: 1
});
const ok = await argon2.verify(hash, inputPassword);

Multi-Factor Authentication

• Require MFA for admins and high-risk actions.

• Support TOTP and WebAuthn passkeys to reduce phishing risk.

• High-risk actions: change email, export data, delete account, view bulk reports.

• Policy: force MFA step-up if the last MFA was > 12 hours ago or the device is new.

Sessions and Tokens

• Prefer short-lived access tokens with refresh rotation.

• Validate issuer, audience, expiry, and signature for every token.

• For cookie sessions, set HttpOnly, Secure, SameSite=Lax or Strict, and bind to the user agent where feasible.

// Example cookie flags
res.cookie("sid", value, {
  httpOnly: true,
  secure: true,
  sameSite: "Lax",
  maxAge: 30 * 60 * 1000
});

Authorization Patterns

• Default-deny and check permissions at every boundary.

• Combine RBAC for simplicity with ABAC checks for ownership and context.

-- Minimal RBAC schema
CREATE TABLE roles (id serial primary key, name text unique);
CREATE TABLE permissions (id serial primary key, name text unique);
CREATE TABLE role_permissions (
  role_id int references roles,
  perm_id int references permissions,
  primary key (role_id, perm_id)
);
CREATE TABLE user_roles (
  user_id uuid,
  role_id int references roles,
  primary key (user_id, role_id)
);

// Express middleware: require permission and resource ownership
function authorize(perm) {
  return async (req, res, next) => {
    const allowed = await hasPermission(req.user.id, perm);
    const owns = await resourceOwnedBy(req.params.id, req.user.id);
    if (!allowed || !owns) return res.status(403).end();
    next();
  };
}
app.get("/reports/:id", requireAuth, authorize("report.read"), handler);

Service-to-Service Trust

• Use mTLS or OAuth 2.0 client credentials between services.

• Pin and rotate service keys with a KMS and verify JWT audience per service.

# Env points to JWKS URL per issuer
AUD="billing"
ISS="https://auth.example.com"

# Validate iss, aud, exp, nbf in the gateway before routing

Secrets and Key Management

• Keep secrets in a managed vault and never in source control.

• Rotate keys regularly and scope each key to the minimum needed action.

# Rotate and version secrets
vault kv put app/prod/api KEY_VERSION=12 VALUE=$(openssl rand -hex 32)

Abuse and Account Security

• Rate limit login, sign-up, and password reset endpoints.

• Lock accounts temporarily on repeated failures and send alerts on unusual sign-ins.

• Restrict admin consoles by IP allowlist or require a VPN.

# Simple rate limit
limit_req_zone $binary_remote_addr zone=logins:10m rate=5r/m;
location /login {
  limit_req zone=logins burst=10 nodelay;
  proxy_pass http://app;
}

Auditing and Lifecycle

• Log authentication events and authorization decisions with user, action, resource, and outcome.

• Automate provisioning and offboarding. Remove access when roles change.

CREATE TABLE access_audit (
  at timestamptz default now(),
  user_id uuid,
  action text,
  resource text,
  decision text,
  reason text
);

Quick Authn and Authz Checklist

• Use OIDC and hash passwords with Argon2id or bcrypt

• Enforce MFA for admins and step-up for high-risk actions

• Set short-lived tokens and secure cookie flags with rotation

• Apply default-deny with RBAC plus ownership checks

• Protect service calls with mTLS or OAuth client credentials and key rotation

• Rate limit auth endpoints and log all access decisions for audit

Conclusion

Robust authentication and precise authorization keep personal data accessible only to the right identities at the right time. By standardizing on proven protocols, enforcing least privilege, and recording every decision, you reduce breach impact, simplify audits, and meet GDPR and CPRA expectations for security and accountability.