4.1 JWT Authentication Flow
Register: validate input → check duplicate → hash password (bcrypt, 12 rounds) → save user → return tokens. Login: find user → compare bcrypt hash → generate access token (15 min) + refresh token (7 days). Access token in Authorization header. Refresh token in httpOnly cookie (not localStorage — XSS risk). Token verification middleware: extract → verify → attach user to request.
4.2 Password Security & Refresh Tokens
bcrypt: salt + hash, timing-safe comparison. Never store plaintext passwords. Password reset flow: generate reset token → email link → verify token → update password. Refresh token rotation: issue new refresh token on each use, invalidate old one. Token blacklisting with Redis (for logout). Rate limiting on login endpoint (prevent brute force).
4.3 Role-Based Access Control (RBAC)
Roles: admin, moderator, user. authorizeRoles('admin', 'moderator') middleware. User-role stored in database. Resource ownership: users can only edit their own posts (isOwner middleware). Permission middleware pattern: authenticate → authorize → handle request. Role hierarchy and permission inheritance.
4.4 OAuth2: Google & GitHub Login
Passport.js with Google/GitHub strategies. OAuth2 flow: redirect → provider consent → callback → create/link user. passport-google-oauth20, passport-github2. Session-based vs JWT-based after OAuth callback. When to use social login (consumer apps) vs email/password (enterprise). Connecting social accounts to existing accounts.
4.5 Express Security Hardening
helmet: sets security headers (CSP, HSTS, X-Frame-Options). cors: configure allowed origins, methods, credentials. express-rate-limit: 100 requests/15min per IP. express-mongo-sanitize: prevent NoSQL injection ($gt, $ne in request body). hpp: prevent HTTP parameter pollution. Input sanitization: never trust user input. OWASP Top 10 awareness for Node.js applications.
Placement relevance: "Implement JWT auth with refresh tokens" is the #1 MERN security interview question. bcrypt, httpOnly cookies, and token rotation signal production experience. CORS configuration is the first full-stack bug — understanding it saves hours. Security middleware (helmet, rate-limit, mongo-sanitize) shows awareness of production deployment concerns.