Internal REST API security

Question

I have been looking into this for a few days now and come across many SO questions but still I am not so sure.

I am creating an REST API with Node.js which will be used for a web app and a mobile app which is only intended for the app's back-end to use and not for other developers.

My current concerns are security I know there are other ways such as OAuth etc but I am wondering if my current method is secure enough.

The "client" creates a HMAC-SHA1 token using the crypto.createHmac('text', 'secret'); method in Node which contains an API key along with a secret. The secret is built into the code while the API key has been previously retrieved from the DB when the user logged into the app. The client then sends this token as well as the user ID.

The REST server then retrieves the API key of the user ID that has been sent and then creates a HMAC-SHA1 token, again with the API key it just retrieved and a secret. It then checks they are both equal and moves on with the request.

I don't mind if it is "reinventing the wheel" or whatever, its more for experience too. If this method is insecure, I'd like to know why.

Answer 1

Without physical security of the client device (ie: you own the hardware) there is no perfect security. Someone who owns the client device will always be able to find your secret so don't worry about it too much. Use your HMAC to obscure the secret from a network proxy.

Even with OAUTH the client key can be stolen.

You can provide security for users by requiring authentication. It sounds like you are already doing that. So I think you're good.

That said, as a general rule I prefer using existing protocols and libraries than implementing your own. They tend to have more secure implementations.