ReST API: Should I associate the access token with a user in my database

Question

I am building a secure ReST API on a nodeJS server so that my Android application can access the data on my site. Based on reading some other posts, I've come to understand that I should use an access token. So my idea is to do the following:

1) When the user logs in on the Android app, the app sends a request to /api/login on my site, providing the username and password (this of course needs to happen over SSL to guard against eavesdropping).

2) My server validates that the username + password match, and, if so, responds with an access token.

3) The app uses this access token to make all subsequent requests to my API.

My question is should I store the access token in the database on my server? Specifically, should I store the fact that the access token is associated with that particular user? Most tutorials I looked at did not do this, but if I don't, then what is to stop a user with this access token modifying or viewing the data of another user? Don't I need to pair an access token with a user in my database?

Answer 1

What you want to do is exactly HTTP Sessions do.

So, I think you can just use HTTP Session functionality It's already implemented in WAS frameworks like Django, Spring etc. If NodeJS provide session functionality, Just use session functionality in the framework. If not, look up the HTTP Session library. Maybe you can find many library that treat session implementation.

Answer 2

try using this library, i did the same type of project and this life saver was my solution.

Answer 3

If you need to build a secure API the things are little more complicated. You need to sign the access token with a private keystore.

Would it be a option to use a authentication service like Auth0? They are generating a JWT token for you and you only need to validate this token. The API is completely stateless. You can find a lib for almost any programming language on their website.