Is my devised authentication method for node.js app viable? Am I missing anything?

Question

After trying to implement the Passport module and deciding I'm too uncomfortable with not knowing exactly what is happening behind the scenes I came up with my own way to authenticate mobile users with Facebook. The following is my method but I'm worried that I might be missing something important as I am new to this. Any insight would be appreciated.

Important: every user is required to sign in with Facebook.

1. Mobile client authenticates user with Facebook API and receives an access_token.

2. Every subsequent request to my node.js server with user-specific/privileged actions will contain that user's unique ID and current Facebook access_token.

3. The request will pass through a sails.js policy (middleware) that compares the Facebook access_token from the request to the access_token currently saved to that user's User object from database.

4. If they match, the request will continue to the desired action. If they don't match, the server will make a call tograph.facebook.com/me/?access_token= with the access token provided from the request.

5. If the unique Facebook ID returned from Facebook's server matches the Facebook ID that was already saved to that user's User object upon initial registration then the new access_token is saved/refreshed to that User object and the request continues to the desired action.

Also important: The mobile client will automatically refresh the Facebook access_token and include it in requests to my server as needed.

Thanks in advance!

Answer 1

This is not a good idea. I'll explain why in detail here, but in general: use passport or a secure authentication provider like Stormpath. The reason why is this: security is very hard to get right. Especially when you're authenticating from different places (web apps, APIs, mobile apps, etc.). There are MANY ways to mess things up, and it can cost you a lot in the long run by not just using a well vetted framework.

Now, here's a break down of the issues with your implementation:

Mobile client authenticates user with Facebook API and receives an access_token.

This is fine, this makes sense.

Every subsequent request to my node.js server with user-specific/privileged actions will contain that user's unique ID and current Facebook access_token.

Where is the unique ID generated? Is it the Facebook user ID? If so, don't pass this OUTSIDE the token -- keep it inside and ONLY pass the token via the HTTP Authorization header. This will ensure you leak as little information as possible.

The request will pass through a sails.js policy (middleware) that compares the Facebook access_token from the request to the access_token currently saved to that user's User object from database.

This is a bad idea. Instead, you should verify the token using a JWT library (Facebook tokens are JWTs). You should then fire off a request to the Facebook Graph API as well with the token to validate that it has not been revoked. This ensures that if your user is compromised, you can actually revoke access when you need to.

If they match, the request will continue to the desired action. If they don't match, the server will make a call tograph.facebook.com/me/?access_token= with the access token provided from the request.

The above comments also apply here.

If the unique Facebook ID returned from Facebook's server matches the Facebook ID that was already saved to that user's User object upon initial registration then the new access_token is saved/refreshed to that User object and the request continues to the desired action.

The above comments also apply here.

---

NOTE: I'm the author of several popular authentication libraries (including social login) in both Node.js and Python, and spend all my time working on this stuff @ my company.

Authentication is really fun / interesting, but unless you're absolutely 100% sure you're doing absolutely everything right, it's always a better idea to go with a well vetted framework =)

I really hope this helps! Best of luck with your project! I'm sure it'll be awesome.

PS: No matter what, be sure to use SSL when talking to your API service, otherwise none of this matters anyway :(