without being encrypted in the header at this moment.
Now, one other reason why I'm doing this is that, so that we can actually look at
the header directly and then see this information in the header itself.
So, when the client sends this request, then the server will extract
the information from this authorization header in the request header.
And then use this information in order to verify whether this is
an authorized a client request or not.
Now of course your next question would be,
what exactly does this authorization header contain?
The authorization header itself is constructed as follows.
If you have a username and a password, these are the two
pieces of information that you will use to authenticate a client.
So the username and password will be concatenated into a single string
by saying username and a colon, and the password itself.
So the username string, colon and
password will be concatenated together into an entire string here.
This resulting string that we get here is that, encoded using Base64 encode.
If you know about how encoding is done basics for encoding,
convert that into an ASCII header like as shown in this example here,
so this is nothing but a string of ASCII headers.
Now if you don't know much about basic stiff encoding, don't worry about it,
it doesn't impact your understanding of what is going on here anyway.
So this Basic64 encoded strings, so
this particular information is encoded into a string like this, and
then enclosed in the request header going from the client to the server.
The request header itself is of the type authorization,
and then followed by the actual value here, which says,
Basic, and a space here, and the Base64 encoded string here.
So, when this is received by our sever, the server will extract this information,
and then from here, it'll extract the username and password, and
then verify whether that matches an authorized user or not on the server-side.
To help you better understand how we actually organize the express application
and how the authentication itself is carried out, as we have learned earlier,
express applications themselves are organized in a set of middleware.
And the way the express application works is that the middleware
are applied to the request and the response message
in the order in which it is declared in my express application.
So if you have a express.use and
then you have the first one saying a static server, then after that,
you have another middleware, then after that, you have another middleware.
The sequence in which they are declared in the express servers app.js file,
for example, is the exact sequence in which the middleware will be applied.
So an incoming request from the server-side as you recall in your express
application, the incoming request is treated as a request object.
The response object is what the express server constructs, and
then the next is allows you to go on to the next middleware
that you're going to be applying, and so on.
So, an incoming request like this, when it comes in, the first middleware is applied.
And then once that middleware has transformed both the request and
the response, it moves on to the next middleware, which is then applied to it.
So for example, we saw that we applied Morgan first,
then we applied body parser to the middleware.
So they must have already transformed the request and the response objects.
And then after that, we can include an authentication middleware in place there.
The authentication middleware is going to authenticate the request.
Now, so if you are using basic authentication, do your request
must contain in the header the authorization header in place in there.
So the authorization header will be extracted by the authentication middleware
and then checked to see if the user is authorized.
And if the authentication middleware detects that you are an authorized user,
then you'll be allowed to proceed forward to the next set of
middleware that follows the authentication step.
And your records will be processed by the subsequent middleware.
But other hand,
if your authentication middleware decides that you are not an authorized user,
then the authentication middleware will take you along a different path off.
And then generate an error, and then send back
an appropriate error reply to that client-side and
will be redirected to the error handler.
So this redirection to the error handler will be done by calling Next
with the error as the parameter to that Next here.
So the Next is exactly this Next that we see in the request resource Next here.
And so, that will take you all the way down to the error handler,
which will handle error and then send back the error message back to the client-side,
indicating the failure of the authentication.
So this is how your typical basic authorization, or
basic authentication works in your server-side application.
Having understood this, let's move on to the exercise where we
will implement the basic authentication in our application and
see how it authenticates users.
[MUSIC]