Vict Ecom 2: Auth

Introduction
In late March I was fortunate enough to interview with my dream company where I was able to discuss one of our current projects being the e-commerce website. Shortly after the interview, I began to research and learn more about implementing middleware and using server-based authentication to future increase the security of our platform. In building out our e-commerce project, we decided to skip a week of development to focus more on researching and implementing new authentication processes. In this week’s article, I will discuss our transition from using JSON Web Tokens (JWT) to using sessions-based authentication as well as some front-end improvements to create a better user experience.

Server-Side Authentication
To deepen our understanding of session-based authentication, we dedicated two days to researching articles and resources on the subject. Through this investigation, I gained insight into its advantages. One key benefit is that session data is stored on the server, this allows us enhanced control over managing session expiration and overall session management. This server-side data management contributes to heightened security, reducing the risk of client-side attacks like Cross-Site Scripting (XSS).

Implementing Session-Based Authentication presents challenges like scalability, increased performance overhead, and complexities with Cross-Origin Resource Sharing (CORS). Scalability concerns arise as session data storage on the server increases resource utilization, making it more resource-intensive than client-side JWT storage. The server's need to fetch session data for each request can lead to latency, impacting performance. However, optimizing the session store and enhancing platform efficiency can help offset these issues. Additionally, handling CORS becomes more strict with sessions, this being much different from the simpler HTTP header methods used with JWTs, requiring careful management to ensure smooth cross-origin interactions.

We consider session-based authentication essential for our e-commerce store because it enhances the user experience by maintaining a persistent state across visits. This approach ensures that cart contents, user preferences, and login status are preserved, eliminating the need for users to repeatedly authenticate on each visit. The security aspect is significantly strengthed because sensitive data, such as financial transactions and Personal Identifiable Information (PII), are managed server-side, substantially reducing the risks associated with client-side token exposure. This method not only secures user data but also improves the customer experience by enabling seamless navigation and user preferences consistently across multiple devices, allowing a more personalized and secure shopping environment.

We integrated the dependencies express-session and connect-session-sequelize into our server infrastructure, leveraging their straightforward functionalities. Express-session establishes and administers session middleware within Express applications, enabling consistent user data retention across multiple interactions and facilitating session cookie management in users' browsers. Meanwhile, connect-session-sequelize acts as a storage adapter for express-session, allowing the archiving of session information in a Sequelize-compatible database, such as MySQL, which we are currently utilizing. This module also automates the cleanup of old and unused session entries, enhancing the maintenance aspect of our session data. The workflow is as follows: upon user login or session initiation, express-session generates a unique session ID and stores this information server-side. This ID is sent as a cookie to the user's browser and simultaneously recorded in our SQL database for session tracking. The user’s requests include this session ID cookie, allowing express-session to retrieve the corresponding session details, with connect-session-sequelize facilitating access to this data from the database. Given sessions are time-limited, connect-session-sequelize automatically removes outdated sessions past their expiration, allowing us to maintain the database's cleanliness and relevance.

Day 1
After our research on the first working day, my primary task involved integrating new updates into our system's architecture. The goal was for us to transition from a JWT-based system to a session-based authentication approach across various routes, including merchants, storefronts, and product CRUD operations. To streamline this process, I utilized Postman extensively. This tool proved invaluable, allowing for rapid testing of API calls and ensuring accurate data processing within our system.

Day 2
After Jesstin implemented minor adjustments to our AuthCheck middleware, the focus of the day shifted to validating the functionality of our routes and conducting tests on various edge cases. Once the successful execution of my calls was confirmed and it was ensured that everything was correctly stored in our database, I proceeded to remove the now-redundant JWT-related code from our client-side directory, aiming to reduce file sizes.

Day 3
On the third day, I focused on the design aspect, implementing global styling to streamline our future development. Rather than defining new styles for each button individually, I developed a custom Tailwind CSS class. This class standardizes our buttons in terms of color, text weight, and hover effects, ensuring a consistent design across our platform. While this task might seem minor in the scope of progress, it is crucial for maintaining a uniform user interface, particularly given the extensive use of buttons on our website. Consistency in button design enhances user experience by providing clear and consistent visual cues. Additionally, I dedicated time to optimizing our navbar and login pages, aiming to decrease file sizes and improve overall performance.

Future Plans
Moving forward, our objectives include further improving user authentication and strategizing the management of transactions and order histories, alongside integrating "customer" logic to gain insights from a visitor's perspective on our website. In terms of security, we aim to fortify our platform by mitigating the risks of SQL injection and implementing rate limiting to thwart DoS attacks and misuse. Additionally, we plan to employ pseudonymization techniques for Personally Identifiable Information (PII) to strengthen privacy and security when storing data in our database. These measures are crucial for maintaining a secure and reliable e-commerce platform.