Authorisation strategy for a first-party express based node API

Question

I'm tackling the design of my first API and am struggling somewhat with authorisation concepts - I was hoping some kind people could give me some advice!

What I'm building:

• An API that will eventually be accessed by third party apps and a mobile app.
• A web-based 'client' (first-party single page app) that will use the API. (Should this first-party app be 'a part' of the API, or a completely separate node app?)

Technology I plan to use:

• Node
• Express
• Passport
• Mongodb with Mongoose

I'm not wed to express or passport, they just seem like the best options and are well documented - bit I wouldn't want a potential solution to be dismissed because of alternative dependencies. Same with Mongoose, I actually prefer the look of Monk (or even just Mongojs), but every tut seems to use mongoose, so seems like the safest option for a node beginner.

Authenticating a user is simple enough (I've gone through the fantastic Beer Locker tutorial), what I'm struggling with is ongoing authorisation. Naturally I don't want the user to have to input a username and password with every request they make - should this information be stored locally and sent with every request? (if so, how? I can't find any info on handling an API with a session) or should I be working with tokens of some sort? The small amount of reading I did on 'Digest' authorisation (including the Beer Locker tutorial follow-up) made it seem like it had security issues, at least with the Passport implementation (this I don't fully understand, but seems to relate to hashing passwords, which passport doesn't do as standard, and only MD5 is supported even if it's added?).

I have built a working API that I can authorise with 'Basic' (directly, through Postman), so I have the foundations in place - authorisation works, I just need the tools to take that to the next step and add sessions into the mix!

I've been trying to get my head around this for a couple of days now, but I fear I'm too stuck in a more traditional local web-app workflow - the whole API thing is throwing me somewhat.

Any help is hugely appreciated, even if it's just pointing me at an appropriate tutorial - the above set of requirements must be quite common!

Answer 1

As I understand you have done the authentication and the only thing you have to do now is store somewhere that the current user is authenticated, his name, roles etc to use later with other requests. In the Passport you will do it in the function callback (instead of the "If this function gets called..." comment).

Now you have to decide, you have two options:

1. Store the user information (name, roles etc.) on your server (in a session) and give the user some long code which will identify his session for the next requests

   • to store the information on your server you may use for example the express-session middleware
   • it would be probably best to save the session identifier in a cookie, but read some security issues before

2. Give the user something that would prove to you he/she is authenticated and which name, roles etc. he/she has

   • you can generate a token, that contains the user information (name, roles etc.) that the user will send with every request. to know this token is legit, you will have to sign it. more on this is on jwt.io and you can use express-jwt middleware.
   • you dont have to care about storage of session with this one
   • the token can be placed to a cookie too, but same security issues apply. it is still considered better that localstorage (more here)

Answer 2

I have come accross this problem too...

I can only recommend doing this for the beginning: http://scotch.io/tutorials/javascript/easy-node-authentication-setup-and-local

tell me if it helped :)