Day 2: Authentication and Session Security

Today's Objective

Password hashing, JWT pitfalls, OAuth misconfigurations, session fixation, and CSRF. Build the auth layer that actually resists real attackers.

The OAuth 2.0 Flow

OAuth 2.0 is a protocol for delegated authorization. Here is the 5-step flow:

User clicks "Sign in with Google"
Your app redirects to Google's authorization server
User approves access on Google's page
Google redirects back to your callback URL with a code
Your server exchanges the code for an access token and user profile

Terminal

npm install passport passport-google-oauth20 express-session

oauth.js — Google OAuth Setup

const passport = require('passport');
const GoogleStrategy = require('passport-google-oauth20').Strategy;

passport.use(new GoogleStrategy({
  clientID: process.env.GOOGLE_CLIENT_ID,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET,
  callbackURL: '/auth/google/callback'
}, async (accessToken, refreshToken, profile, done) => {
  // Find or create user in your database
  let user = await User.findByGoogleId(profile.id);
  
  if (!user) {
    user = await User.create({
      googleId: profile.id,
      email: profile.emails[0].value,
      name: profile.displayName
    });
  }
  
  done(null, user);
}));

passport.serializeUser((user, done) => done(null, user.id));
passport.deserializeUser((id, done) => User.findById(id).then(user => done(null, user)));

// Routes
app.get('/auth/google', 
  passport.authenticate('google', { scope: ['profile', 'email'] })
);

app.get('/auth/google/callback',
  passport.authenticate('google', { failureRedirect: '/login' }),
  (req, res) => {
    // Issue JWT after successful OAuth
    const token = jwt.sign({ userId: req.user.id }, process.env.JWT_SECRET, { expiresIn: '15m' });
    res.redirect(`/app?token=${token}`);
  }
);

app.get('/logout', (req, res) => {
  req.logout();
  res.redirect('/');
});

ℹ️

Getting Google credentials: Go to console.cloud.google.com → APIs and Services → Credentials → Create OAuth 2.0 Client ID. Set the callback URL to http://localhost:3000/auth/google/callback for development.

Day 2 Exercise

Implement Google Sign-In

Create a Google OAuth app in Google Cloud Console.
Set up the Passport.js strategy with your credentials in .env.
Add the session middleware and passport.initialize() to your Express app.
Test the full flow: click "Sign in with Google," complete the OAuth, verify the user is created in your database.
Add a /me endpoint that returns the current user's profile from the session.

Day 2 Summary

OAuth 2.0: redirect → user approves → get code → exchange for token → get profile.
Never store OAuth access tokens long-term — issue your own JWT after successful OAuth.
Passport.js handles the OAuth flow; you handle user creation and session management.

→

← Previous

Day 1: JWT Auth

Day 3: CSRF and XSS Defense

→

What's Next

The foundations from today carry directly into Day 3. In the next session the focus shifts to Injection Attacks and Input Validation — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Authentication and Session Security — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Authentication and Session Security Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 2 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 3?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 3

Day 3

→