Extra module 1 - Authentication/Authorization

Know who is knocking on the door, to decide whether to open it or not.

In a real-world system, it's a common requirement to protect its routes in such a way that access is granted only to those who should actually have it.

Let's look at our online shop, for example. Some routes probably could be accessed by anyone, without further concern, such as the ones for finding the products and categories. It's common that any person can see the products in a store without having to identify themselves first. Thus, these would be public routes.

The route to see a user's profile may have a different rule. It may require the user to be logged-in so that he may see his own profile, for example. The process of presenting credentials to identify oneself to the system is called Authentication.

However, even authenticated, a user may not have the permission to see the profile of another user, or a list of all the users in the system. In this case, the authenticated user should also have the necessary permission to access this kind of information. The process of allowing or not a user to some resource based on his permissions is called Authorization.

However, before we delve into the core subject of this module, we'll first look at another, related topic first: Password Hashing.