0
0
Expressframework~10 mins

Why authorization differs from authentication in Express - Visual Breakdown

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Why authorization differs from authentication
User sends credentials
Authentication: Verify identity
Yes / No
Reject
Authorization: Check permissions
Access Denied
User first proves who they are (authentication). Then system checks what they can do (authorization).
Execution Sample
Express
app.post('/login', (req, res) => {
  const user = authenticate(req.body);
  if (!user) return res.status(401).send('Login failed');
  if (!authorize(user, 'admin')) return res.status(403).send('Access denied');
  res.send('Welcome admin');
});
This code checks user identity first, then checks if user has admin rights.
Execution Table
StepActionInputResultNext Step
1Receive login request{username, password}Credentials receivedAuthenticate user
2Authenticate user{username, password}User object or nullIf user null, reject; else authorize
3Check if user existsUser object or nullUser found? Yes or NoIf No, send 401; If Yes, check authorization
4Authorize userUser object, role='admin'Has admin rights? Yes or NoIf No, send 403; If Yes, grant access
5Send responseAuthorization resultAccess granted or denied messageEnd
💡 Execution stops after sending response based on authentication and authorization results.
Variable Tracker
VariableStartAfter Step 2After Step 4Final
usernullUser object or nullUser objectUser object or null
Key Moments - 2 Insights
Why do we check authentication before authorization?
Because authorization depends on knowing who the user is. The execution_table shows authentication happens first (Step 2), and only if successful do we check authorization (Step 4).
Can authorization happen without authentication?
No, because without confirming identity (authentication), the system cannot decide permissions. The flow in concept_flow and execution_table confirms authorization only happens after authentication success.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what happens if authentication fails at Step 3?
ASend 403 Access denied response
BSend 401 Login failed response
CGrant access immediately
DProceed to authorization
💡 Hint
Check Step 3 and Step 2 results in execution_table for authentication failure.
At which step does the system check if the user has admin rights?
AStep 4
BStep 3
CStep 2
DStep 5
💡 Hint
Look at the 'Action' column in execution_table for authorization check.
If the user is authenticated but not authorized, what response is sent?
AWelcome admin
BLogin failed
CAccess denied
DNo response
💡 Hint
See Step 4 and Step 5 in execution_table for authorization denial.
Concept Snapshot
Authentication means checking who you are.
Authorization means checking what you can do.
Authentication happens first, then authorization.
Failing authentication stops access immediately.
Authorization depends on successful authentication.
Full Transcript
This visual execution shows how authentication and authorization differ in an Express app. First, the user sends credentials. The system authenticates by verifying identity. If authentication fails, it sends a 401 error and stops. If successful, it checks authorization to see if the user has permission, like admin rights. If authorization fails, it sends a 403 error. If both pass, access is granted. The 'user' variable changes as the code runs. This step-by-step flow helps understand why authentication must come before authorization.