Reputation: 5361
node.js - REST API security. SSL or OAuth2?
I am building a nodejs express REST API. I have the following setup.
API server(nodejs) returns data from mongodb.
Webserver(nodejs) hosting angular web application.
Little bit of google-ing told me I should use OAuth2 for securing my REST API.
Some links also suggested me to use SSL.
I am not clear whether SSL is alternative solution to OAuth2 or I should use it along with OAuth2 for increased security?
If I use SSL for communication between my Webserver and API server! Do I still need to use OAuth2?
I am a "first time API builder". I am so sorry if this question sounds vague.
Upvotes: 3
Views: 1565
Answers (1)
Reputation: 23340
It's not uncommon to build up APIs for your client side application. Sometimes it makes sense to separate the application which is responsible for APIs from that which is responsible for hosting your client side application (in this case it seems it is an Angular app). However, know that these can be one in the same, and is probably recommended until they get large enough to separate out. If they are separate, you'll quickly run into a same-origin policy problem and perhaps need to proxy the request from the client side app to the separately hosted API application -- or you could run them under the same domain and proxy using something like nginx or apache. All of that to say, you might consider starting with these two as one application to begin with.
Moving on to security, SSL is a way of securing your client's connection to the server (it might be easiest to just think of it as HTTPS). This is a good strategy, and would be advised for someone to implement once they have data transferred between the client and server which should not be viewed by others. Know that SSL is not specific to Node.js or REST, but just a way of securing the web request/response communication.
With the requests secured, you still need to know who is making the request, and if they have access to do what they're asking. Proving who you are is authentication, and what you're allowed to do is authorization. There are many ways to authenticate, and once you do, its usually the responsibility of the application to decide that user's authorization. OAuth is one method to help with this process, and has become popular through Facebook, Google, Twitter, etc logins to websites. There are many tools built to help you integrate OAuth with your application, Passport is one of the more popular choices for Node.
So your question is a bit vague, but hopefully this helps you understand the difference between SSL and OAuth.
Upvotes: 3
Related Questions
- HTTPS or JWT for authentication?
- When should I use oauth or jwt?
- How to secure a simple Node.js RESTful API
- How do I secure rest api?
- Securing Node.js RESTful APIs
- What is the standard way to secure a REST API using Tokens?
- API Security/Authorization
- Secure APIs using Node.js
- Secure API calls using OAuth 2 data
- Choice of Node-Js