Building authentication in a backend application involves coordinating multiple layers: routing, validation, controllers, services, and data models. Understanding how requests flow through these layers is essential for building secure and maintainable authentication systems.
This article explores the lifecycle of authentication requests, from the initial HTTP request through middleware, validation, business logic, and response generation.
The Middleware Stack
Think of the application as a stack of layers. Requests enter at the top and fall through layers sequentially. Each layer does a job and calls next to pass control to the next layer. The controller sends the response, stopping the chain.
This onion-like architecture allows you to separate concerns: security at the outer layers, validation in the middle, and business logic at the core.
Registration Request Lifecycle
The registration flow begins when a client sends a POST request to the registration endpoint. Before business logic runs, the request passes through safety layers defined in the application setup.
Security middleware includes helmet for setting HTTP headers to protect against vulnerabilities, cors for access control checking allowed origins, rate limiting for DDoS protection, express.json for parsing incoming JSON bodies, and request logging for tracking request details.
Only after passing these checks does the request hit the router, which matches the path and forwards traffic to the appropriate route handler.
Validation Layer
Before the request reaches the controller, it must pass validation. The validation middleware enforces strict rules before the controller runs. For registration, this typically includes email format validation, password strength requirements, and required field checks.
If validation fails, the middleware immediately returns a 400 Bad Request error. The request dies here and never triggers the controller. This is the fail-fast pattern, keeping controllers clean and focused only on successful logic.
Controller Layer
The controller orchestrates the registration process. It extracts data from the request body, calls the service layer to handle business logic, and formats the response.
For registration with email verification, the controller calls the service to create the user with an unverified status, generates a verification token, sends a verification email, and handles rollback if email sending fails.
The controller is lean. It doesn’t contain business logic like password hashing or database queries. It simply receives the request, calls the service, and formats the response.
Service Layer
The service layer contains business logic. For registration, it creates the user in the database, generates verification tokens, and coordinates with email services.
For login, the service finds the user, compares the password hash, checks if the user is verified, generates access and refresh tokens, and returns the results to the controller.
Placing business logic in the service layer ensures that rules like must be verified are enforced consistently, regardless of how the authentication is initiated.
Data Layer
The data layer handles persistence. For user creation, Mongoose models use pre-save hooks to automatically hash passwords before storing them in the database.
The pre-save hook generates a salt, hashes the password with bcrypt, and stores the hash. This ensures passwords are never stored in plain text, even if the application code forgets to hash them.
Response Generation
After processing, the server generates a response. For registration with email verification, the response indicates success but doesn’t include tokens. The user must verify their email before logging in.
For login, the response includes the user data and access token. The refresh token is typically sent as an HttpOnly cookie for security.
Login Request Lifecycle
The login flow follows a similar pattern but with different business logic. The request passes through the same security middleware, then hits the login route.
Validation checks that email and password are provided and properly formatted. Unlike registration, login validation is usually less strict about password length to prevent leaking information about password policies to attackers.
The controller extracts credentials and calls the login service. The service finds the user, verifies the password, checks if the user is verified, and generates tokens if everything is correct.
If the password is wrong or the user is not verified, the service throws an error. The controller catches this and returns an appropriate error response.
Security Best Practices
Separation of concerns keeps code maintainable. Validation happens in middleware, business logic in services, and data access in models.
Fail-fast validation prevents bad data from reaching business logic. This keeps controllers clean and makes errors easier to debug.
HttpOnly cookies for refresh tokens prevent XSS attacks. JavaScript cannot access HttpOnly cookies, so even if an attacker injects malicious scripts, they cannot steal refresh tokens.
Password hashing in pre-save hooks ensures passwords are always hashed, even if application code forgets. This defense-in-depth approach prevents accidental security vulnerabilities.
Email verification adds an extra layer of security. Users must prove they control the email address before accessing the application.
Error Handling
Errors should be handled at appropriate layers. Validation errors are caught by validation middleware. Business logic errors are caught by the controller. Unexpected errors are caught by error-handling middleware.
Error responses should be consistent and not leak sensitive information. Don’t reveal whether an email exists in the system or provide detailed error messages that could help attackers.
Summary
Understanding the authentication request lifecycle helps you build secure and maintainable backend applications. By separating concerns into layers, using fail-fast validation, and following security best practices, you can create authentication systems that are both secure and easy to maintain.
The key is understanding how requests flow through middleware, validation, controllers, services, and data layers, and ensuring each layer has a clear responsibility.