Node.js: Redis security clarification

Question

I have two servers,

• ServerA - nodejs server in production, already has an authentication module, very little freedom to modify code, I have added a module, that provides a token key to serverB.
• ServerB - nodejs server, not in production, more freedom to change code, since it should not have independent authentication module, depends on token key from serverA for authenticating users.

I was using crypto module for token generation, and had same the cipher seed in serverA and serverB.

This worked, but token key not expiring bothered me. But, the servers are independent, and thus the server time would not be in sync, because of some oversight, can even be days apart.

Then, I came across redis, reading about it now, haven't used it before.

What if I run redis DB on serverB, and serverA sets expiring token in it, and serverB checks each incoming request for the token against it. Is this right way to use redis, what would disadvantages be, and most importantly, would this lead to any security loophole?

Answer 1

based on my experience with node and redis, I think this is might be a good solution for your case, but if you have too many requests, I suggest to have 2 redis servers -very easy to setup-, one on each server, whereby serverA is master, and serverB is slave, when serverA needs to set a token, it will set it with its local redis server, at the same time serverB can see the new key with its ttl and act accordingly, regarding the security, I think you have two options, either you set a password on redis connections, or you block access on the used port -6379 is the default- on a firewall level or server level, if you are not really thinking in scaling your structure I would suggest block the access.