What is the difference between authentication and authorization?
Why Interviewers Ask This
This question targets practical, hands-on experience with Node.js. Interviewers want to see if you've worked with these concepts in real projects, not just read about them. Strong answers include concrete examples.
Answer
Authentication is the process of verifying who a user is — confirming their identity. Common mechanisms: username/password, OAuth (Google, GitHub), API keys, JWT tokens, session cookies. In Node.js, libraries like Passport.js handle authentication strategies. Authorization is the process of determining what an authenticated user is allowed to do — checking permissions and roles. A user may be authenticated but not authorized to access a specific resource. Example: all employees are authenticated (can log in), but only admins are authorized to delete user accounts. In Express.js, implement as separate middleware: (1) Auth middleware: verifies the JWT or session and attaches req.user; (2) Authorization middleware: checks req.user.role against required permissions for the route. Common authorization models: RBAC (Role-Based Access Control — roles like admin/user/moderator), ABAC (Attribute-Based — more granular, based on attributes), and ACL (Access Control Lists — per-resource permissions).
Pro Tip
Back up your answer with a specific project or situation. Saying 'In my last Node.js project, I used this when...' immediately makes your answer more credible and memorable.
Previous
What is input validation and sanitization in Node.js?
Next
What is session management in Node.js?