Skip to main content
Back to Store
Auth Lab

Authentication Lab

Practice different authentication patterns used in real-world APIs

What you will learn

  • Decode and verify 6 auth schemes: Basic, Bearer (JWT), API Key, OAuth 2.0, Session, MFA/TOTP
  • Distinguish authentication (401 โ€” who you are) from authorization (403 โ€” what you can do)
  • Spot common failure modes: missing header, malformed token, expired credential, algorithm-none JWT attack

Pair this with the Auth Security Lab โ†’

5 browser-side vulnerability patterns (CSRF, session fixation, open redirect, referrer leaks, credential stuffing) with detection probes.

Security Mode

Secure Mode (HttpOnly Cookie)

SecureInsecure

Secure Mode Active

Token stored in an HttpOnly cookie. Not accessible via JavaScript โ€” document.cookie cannot read it. Protected from XSS attacks since scripts cannot extract the token.

Demo endpoints use fixed credentials for teaching.

The six methods below accept hardcoded credentials (e.g. admin / admin123) so you can practise each scheme without registering first. For a real Prisma + bcrypt flow, use POST /api/auth/register then POST /api/auth/login. See /api-docs for the full contract.

Seeded users (run pnpm --filter practice-fullstack db:seed): admin@example.com, user@example.com, readonly@example.com โ€” same passwords as demos.

Basic Auth

HTTP Basic Authentication with base64 encoded credentials

Authorization: Basic base64(user:pass)
Generated Header:
Authorization: Basic YWRtaW46YWRtaW4xMjM=
Available users: admin/admin123, user/user123, readonly/readonly123

Response

Send a request to see the response

API Documentation

Basic Auth

GET /api/auth/basicPOST /api/auth/basic

Bearer Token

POST /api/auth/bearer (get token)GET /api/auth/bearer (verify)

API Key

GET /api/auth/apikeyPOST /api/auth/apikeyDELETE /api/auth/apikey

OAuth 2.0

GET /api/auth/oauth/authorizePOST /api/auth/oauth/tokenGET /api/auth/oauth/userinfo

Session

GET /api/auth/session (csrf/status)POST /api/auth/session (login)DELETE /api/auth/session (logout)

MFA/TOTP

GET /api/auth/mfa (get code)POST /api/auth/mfa (login)PUT /api/auth/mfa (setup)