20th August 2020 at 2:19pm


Authentication 和 authorization 经常被实现在同套 authentication system 中。

  • Authentication 指认证,通常是用户用帐号名密码登录的过程
  • Authorization 指授权,表示用户有无权限执行某操作,访问某资源等
我对 authorization 了解甚少。目前看 authentication 跟 authorization 的关联可能不大。后面考虑把这两块内容拆分。


  • Register:
    • Username and email validation
    • Password strength requirement
    • Email / username normalization
    • Password hashing
  • Reset password:
    • Password of the user should be unusable
  • Login:
    • Throutte for login attempt
  • Change / reset password:
    • Invalidate existing sessions
    • New password should not be the same as the old
  • No request after a specific time (etc. 1 day)
    • Invalidate session
  • Believed that passwords of some user has been revealed / accounts stolen
    • Batch reset passwords
  • Authentication system implementation in Single-page Application

Resources (and to-reads)