What does authentication mean?
Authentication AvenueSeason 1Episode 1January 21 2025Authentication happens many times a day without us even realizing. In this walk down Authentication Avenue, Kevin answers "What does authentication mean?"
Speaker 0: Hey there, developers, and welcome to authentication avenue. Ever wonder how your favorite apps know it's really you trying to log in? Well, today we're diving into authentication, the digital world's way of checking your ID. Let's imagine we're at our local library. When you want to borrow books, you need a library card.
But getting that card isn't as simple as just walking in and saying, hey, I'm Kevin. Here's what actually happens. First, you fill out an application with your information. That's you claiming who you are. Then you show your ID or proof of address.
That's you proving that you are really you. And only after verifying your identity does the librarian give you your very own library card. Now, every time you come back to borrow books, you show that library card. The librarian can check their system and confirm it's a valid card that actually belongs to you. And that's exactly how authentication works in the digital world.
When you log in to your favorite app, you don't just type in your email and poof, you're in. Just like at the library, you need something to prove it's really you with something only you would know, your password. Now, in the developer world, authentication is like that library card system. When users try to access their private data or personal settings, authentication verifies their identity using something they know, like their password, something they have, like their phone or verification codes, or something they are, like their fingerprint. We call all of these authentication factors, and they're the digital equivalent of that library card and ID check.
Now, once you've proven who you are, you need a way to show it with each request, like carrying your library card. In the digital world, we have a few ways of doing this. Most commonly, you will use what is known as a bearer token. It's like carrying an ID card that says, I've already proved who I am. You include this token in a special part of your request called the header.
Or you might use cookies. These are like invisible name tags that your browser automatically shows to websites you've logged into before. Super convenient. And while you technically can include your credentials as query parameters in a URL, for example, example.com/questionmarktoken equals 12345, we don't really recommend this because sometimes URLs can be logged and that's like writing your password on a sticky note where anyone can see it. So remember, authentication isn't just about saying who you are but it's about proving it.
Next up, we'll see how this works in practice with Directus. But first, let's return our library card. Here we have a posts collection in a Directus project, but this collection is not publicly accessible, so we will need to authenticate as a user with the requisite permissions in order to access this data. And we see here when we just try and access it, when we try and list the posts, that we get an error. You don't have permission to access the collection posts or it does not exist, which is correct because it doesn't know who we are.
We have not authenticated. Now as mentioned, there's a few ways to authenticate. One of the most common is by passing in what is known as an authorization header. So the headers get sent along with our request. The value is bearer space and then a valid access token of a user that has permissions, and when we hit send, we will get this data back.
As I mentioned, there is also another way of doing this, which is via a query parameter to your request. So you can include access token equals value, and, again, that will successfully authenticate. The reason I'm showing you this is to actually dissuade you from using this approach because this full URL, you can type it in your browser here, will return data, but this full URL, including your access token, could be logged by your browser history, by your browser extensions, by your Internet service provider, your corporate VPN provider, and so on. And so to keep it secure, we tend to not use this approach too much. I do also wanna show you how to get an access token and authenticate using the Directus SDK.
So here we have just a JavaScript file. We are initializing a new Directus SDK instance, and what we're going to do is import the authentication composable. And then we are going to initialize the client with the composable. This gives us a brand new function. We can now type in directives.login and provide our email and our password, these values here.
And this client will now be authenticated, so now we can go ahead and actually query our post data. Let's import rest and read items, which we'll need to make this request, and add the rest composable to our client. And now we can go ahead and make a query, directus dot request read items posts. And then we'll console log the items. And this line here specifically is what is authenticating us.
Let's see if that works, and we should see app promise pending. Absolutely. We just need to put in a wait there, and we will now see that once the data is returned, it is displayed here. So this is how we authenticate using the SDK. Join me in the next episode of Authentication Avenue where we will cover a brand new topic.