authentication Interview Questions
Beginner Level5 questions
Authentication = who are you (login); Authorization = what can you do (permissions).
Self-contained token: Header.Payload.Signature — stateless authentication.
Session = server stores state (cookie); Token = client stores JWT (stateless).
One-way conversion of password to hash — can't reverse it. Use bcrypt with salt.
Slow-by-design password hashing with salt rounds — harder to brute force.
Intermediate Level7 questions
Login → create JWT → client stores → send with requests → middleware verifies.
Authorization framework — lets users grant apps access without sharing passwords (Login with Google).
Browser blocks cross-origin requests — fix with cors middleware or ACAO headers.
Tricked requests from authenticated users — prevent with CSRF tokens and SameSite cookies.
Long-lived tokens to silently renew short-lived access tokens without re-login.
httpOnly cookies (best, XSS-safe) > localStorage (convenient, XSS-vulnerable).
Node.js auth middleware with 500+ strategies — local, Google, GitHub, JWT, etc.
Advanced Level5 questions
Assign roles to users, middleware checks role permissions before route access.
Redirect → user approves → auth code → exchange for tokens → access user data.
Bcrypt, HTTPS, short tokens, httpOnly cookies, rate limiting, input validation, MFA.
Register app → redirect to provider → get code → exchange for tokens → get profile → issue JWT.
Multiple verification layers — password + OTP/authenticator. Much harder to hack.