> For the complete documentation index, see [llms.txt](https://tmdarneille.gitbook.io/seirfx/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tmdarneille.gitbook.io/seirfx/unit-2/express-auth/theory.md).

# Auth in Theory

## Objectives

* Utilize sessions to remember users between page loads
* Utilize bcrypt to hash passwords
* Utilize hooks and validations to hash passwords and verify data
* Utilize class/instance methods to authenticate users
* Utilize middleware to authorize users on each page request

Authentication is a complex concept that involves using many of the concepts you've already learned and several new concepts. An authentication system allows the registration / signup of new users and allows those users to sign in.

### Authentication vs. Authorization

* **Authentication:** Proving that a user is valid
  * Providing a username and password is a method of proving user validity
* **Authorization:** The rules that allow a user to perform actions
  * Admins may be authorized to delete users, while regular users cannot delete other users

### Creating Authentication

To facilitate creating an authentication system, we need to create the following:

* `GET /auth/signup`  - form where the user can register
* `POST /auth/signup`  - route to create a user in the database
* `GET /auth/login` - form where users can login
* `POST /auth/login` - validate the users e-mail and password
* A user model/table to store user data

All of the above we've already learned how to do in the past couple weeks.

Additionally, we need to:

* Hash the user's password
* Create a session to remember a user between page loads
* Create a way to easily check if the user is logged in
* Deny the user access to certain pages if they aren't logged in

To do this we need to learn some new concepts.
