Reputation: 135
General API security tips and info on how tokens work
So I want to understand a little more about authentication in an API. I know very little about how security works.
I am using Auth0 for my app and it supports only logging in from a social media site. My API checks if a user is authenticated and checks data that is being sent to avoid wrong stuff to be saved in the database(mongodb). That is all I have currently implemented to secure my API. Is it possible that a user can take his own token that he got from logging in and post information to a different account by simply guessing a different user _id.
For example, an article receives all its content and the id of the article author.
If this is possible what are some solutions on securing my API.
Any other tips on making an API secure are appreciated!
Upvotes: 0
Views: 142
Answers (1)
Reputation: 14212
Auth0 supports logins with anything , not just social networks. You can login with username/passwords, LDAP servers, SAML servers, etc.
A token is a secure artifact. An author cannot change the id in a token without compromising the token itself (e.g. the digital signature will fail), so impersonating someone else is not that easy. The very first thing your API would need to do is checking the integrity of the token being added to the request, and reject any that contains an invalid one (bad signature, expired, etc).
It is a question that requires a lot of content, so I would recommend starting here: https://auth0.com/docs/api-auth
Upvotes: 1
Related Questions
- How to ensure that only my frontend can access my API, and not anyone else?
- Json Web Token security [ Node JS ]
- How is JWT token authenticated?
- Questions regarding JWT
- Securing Node.js RESTful APIs
- Web security. Am I protecting my REST api properly? (node.js express)
- JSON Web Token (JWT) Security
- What is the standard way to secure a REST API using Tokens?
- Node & Token Based Security
- API Security/Authorization