What you will learn
- Decode and verify 6 auth schemes: Basic, Bearer (JWT), API Key, OAuth 2.0, Session, MFA/TOTP
- Distinguish authentication (401 โ who you are) from authorization (403 โ what you can do)
- Spot common failure modes: missing header, malformed token, expired credential, algorithm-none JWT attack
Pair this with the Auth Security Lab โ
5 browser-side vulnerability patterns (CSRF, session fixation, open redirect, referrer leaks, credential stuffing) with detection probes.
Demo endpoints use fixed credentials for teaching.
The six methods below accept hardcoded credentials (e.g. admin / admin123) so you can practise each scheme without registering first. For a real Prisma + bcrypt flow, use POST /api/auth/register then POST /api/auth/login. See /api-docs for the full contract.
Seeded users (run pnpm --filter practice-fullstack db:seed): admin@example.com, user@example.com, readonly@example.com โ same passwords as demos.
Basic Auth
HTTP Basic Authentication with base64 encoded credentials
Authorization: Basic base64(user:pass)Generated Header:
Authorization: Basic YWRtaW46YWRtaW4xMjM=Available users: admin/admin123, user/user123, readonly/readonly123
Response
Send a request to see the responseAPI Documentation
Basic Auth
GET /api/auth/basicPOST /api/auth/basicBearer Token
POST /api/auth/bearer (get token)GET /api/auth/bearer (verify)API Key
GET /api/auth/apikeyPOST /api/auth/apikeyDELETE /api/auth/apikeyOAuth 2.0
GET /api/auth/oauth/authorizePOST /api/auth/oauth/tokenGET /api/auth/oauth/userinfoSession
GET /api/auth/session (csrf/status)POST /api/auth/session (login)DELETE /api/auth/session (logout)MFA/TOTP
GET /api/auth/mfa (get code)POST /api/auth/mfa (login)PUT /api/auth/mfa (setup)