-
Notifications
You must be signed in to change notification settings - Fork 1
Authentication & authorization
There are two things most websites need to do. Authentication is about establishing who someone is (e.g. checking their username and password are correct) and authorization is about checking if a given user is allowed to do a thing (e.g. checking whether a user has permissions to edit gigs).
Both of these are handled by the backend, the login function is in src/auth.ts. The permissions are defined in src/lib/permissions.ts[^1]. When a user logs in, we first create a session in the database, which basically just keeps track of what user is logged in (along with a few per-device settings) and set a cookie in their browser which is an encrypted version of a session token in the database (yes I know lots of people seem to like JWTs in local storage or some other solution, they're wrong). The magic of cookies is they are sent with every request, so then we can just use a hook to check if this matches a valid session, and then pass that session to any handlers we have.
[^1]: And also in the database, kinda, see src/seeders/DatabaseSeeders.ts for the bits that are added to the database, and https://github.com/CUCB/website/issues/127 has been created to fix thi