Performance: Why authorization differs from authentication
MEDIUM IMPACT
This concept affects how quickly and securely a web app verifies user identity and grants access, impacting user interaction speed and security response.
0Why authorization differs from authentication in Express - Performance Evidence
Start learning this pattern below
Jump into concepts and practice - no test required
or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Handling user access control in an Express app
Express
const authenticate = (req, res, next) => {
// Verify user identity once and cache
if (!req.user) {
return res.status(401).send('Not authenticated');
}
next();
};
const authorize = (role) => (req, res, next) => {
// Check user role separately
if (req.user.role !== role) {
return res.status(403).send('Not authorized');
}
next();
};
app.use(authenticate);
app.use('/admin', authorize('admin'));Separates authentication and authorization, caches user info, and checks roles only when needed, reducing redundant checks and speeding up responses.
π Performance GainReduces database calls per request, lowers server load, and improves INP by faster permission checks.
Handling user access control in an Express app
Express
app.use((req, res, next) => {
// Check user role on every request without caching
if (!req.user) {
return res.status(401).send('Not authenticated');
}
if (req.user.role !== 'admin') {
return res.status(403).send('Not authorized');
}
next();
});This pattern mixes authentication and authorization checks on every request without caching, causing repeated database calls and slowing response time.
π Performance CostTriggers multiple database lookups per request, increasing server response time and INP.
Performance Comparison
| Pattern | DOM Operations | Reflows | Paint Cost | Verdict |
|---|---|---|---|---|
| Mixed auth checks on every request | N/A (server-side) | N/A | N/A | [X] Bad |
| Separate auth and role checks with caching | N/A (server-side) | N/A | N/A | [OK] Good |
Rendering Pipeline
Authentication and authorization happen before rendering content, affecting how quickly the server responds and the browser can paint the page.
βServer Processing
βNetwork Response
βBrowser Rendering
β οΈ BottleneckServer Processing due to repeated identity and permission checks
Core Web Vital Affected
INP
This concept affects how quickly and securely a web app verifies user identity and grants access, impacting user interaction speed and security response.
Optimization Tips
1Separate authentication (who you are) from authorization (what you can do).
2Cache authentication results to avoid repeated identity checks.
3Perform authorization checks only when necessary to reduce server load.
Performance Quiz - 3 Questions
Test your performance knowledge
What is the main difference between authentication and authorization in terms of performance?
DevTools: Network
How to check: Open DevTools, go to Network tab, observe response times for authenticated routes, and check if repeated calls delay responses.
What to look for: Look for long server response times or repeated authentication calls indicating inefficient checks.
Practice
1. In Express apps, what is the main difference between
authentication and authorization?easy
Solution
Step 1: Understand authentication purpose
Authentication confirms the user's identity, like logging in.Step 2: Understand authorization purpose
Authorization decides what resources or actions the authenticated user can access.Final Answer:
Authentication verifies who the user is; authorization checks what they can access. -> Option BQuick Check:
Authentication = identity, Authorization = permissions [OK]
Hint: Authentication = who, Authorization = what they can do [OK]
Common Mistakes:
- Confusing authentication with authorization
- Thinking both check the same thing
- Assuming authorization happens before authentication
2. Which Express middleware is typically used for
authentication?easy
Solution
Step 1: Identify authentication middleware
Passport.js is a popular Express middleware for handling authentication.Step 2: Check other options
express.static serves files, express.json parses JSON, cors handles cross-origin requests, none handle authentication.Final Answer:
passport.authenticate() -> Option AQuick Check:
passport.authenticate() = authentication middleware [OK]
Hint: Passport is for authentication in Express [OK]
Common Mistakes:
- Choosing express.static for authentication
- Confusing cors with authentication
- Not knowing passport middleware
3. Consider this Express route snippet:
What status code will be sent if a logged-in user is not an admin?
app.get('/dashboard', (req, res) => {
if (!req.user) {
return res.status(401).send('Not authenticated');
}
if (!req.user.isAdmin) {
return res.status(403).send('Not authorized');
}
res.send('Welcome Admin');
});What status code will be sent if a logged-in user is not an admin?
medium
Solution
Step 1: Check authentication condition
The code checks ifreq.userexists; if not, sends 401 (unauthenticated).Step 2: Check authorization condition
If user exists butisAdminis false, sends 403 (forbidden, unauthorized).Final Answer:
403 -> Option CQuick Check:
Authenticated but not authorized = 403 [OK]
Hint: 401 = no login, 403 = no permission [OK]
Common Mistakes:
- Mixing 401 and 403 status codes
- Assuming 200 is sent without admin rights
- Ignoring the authorization check
4. This Express middleware aims to protect routes:
What is the bug here?
function checkAdmin(req, res, next) {
if (!req.user.isAdmin) {
res.status(401).send('Unauthorized');
}
next();
}What is the bug here?
medium
Solution
Step 1: Analyze req.user usage
The code accessesreq.user.isAdminwithout checking ifreq.userexists, risking a runtime error.Step 2: Check other issues
While 403 is better for authorization failure, the main bug is possible crash from undefinedreq.user.Final Answer:
req.user might be undefined causing an error -> Option AQuick Check:
Always check req.user exists before properties [OK]
Hint: Check req.user exists before isAdmin [OK]
Common Mistakes:
- Ignoring possible undefined req.user
- Confusing 401 and 403 status codes
- Not returning after sending response
5. You want to protect an Express route so only authenticated users with role 'editor' or 'admin' can access it. Which middleware logic correctly implements this authorization check?
hard
Solution
Step 1: Check authentication and authorization together
The middleware must first confirmreq.userexists (authenticated), then check if role is 'editor' or 'admin'.Step 2: Analyze each option
if (!req.user || (req.user.role !== 'editor' && req.user.role !== 'admin')) { res.status(403).send('Forbidden'); } else { next(); } correctly denies access if no user or role not allowed, sending 403 Forbidden. Others have logic errors or wrong status codes.Final Answer:
if (!req.user || (req.user.role !== 'editor' && req.user.role !== 'admin')) { res.status(403).send('Forbidden'); } else { next(); } -> Option DQuick Check:
Check user exists AND role allowed for authorization [OK]
Hint: Check user exists AND role matches before next() [OK]
Common Mistakes:
- Not checking if user is authenticated first
- Using wrong status codes (401 vs 403)
- Incorrect logical operators in role check