Reputation: 65
Where should I store access token
I am currently working on a chatbot for Facebook Messenger. I am working with the Microsoft bot framework and the code is written in node.js.
I am interacting with a database through an api. With every request I have to pass an access token inside the request header. I have read on the internet that you would usually store such a token inside a cookie or web storage. However I also found out that you can't do that on Facebook Messenger. I was thinking about storing the access token inside a variable, but my concern is that this might not be secure. Is there any other secure way to store the access token?
I am fairly new to node.js and it is my first time working with tokens. Help is much appreciated.
Upvotes: 6
Views: 9039
Answers (3)
Reputation: 3863
I would suggest using express-session. for the following reasons. Create a session middleware with the given options.
Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.
Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser.
Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing.
Upvotes: 1
Reputation: 1567
Assuming this token does not change, you can store it as an environment variable, say TOKEN and access it in nodejs app as process.env.TOKEN.
Upvotes: 0
Reputation: 8292
You can use session.userData to hold your database token. If you are concerned about it being secure, then encrypted it before saving.
session.userData.dbtoken = encryptToken(token);
The token can later be retrieved and used when you need it:
var token = decryptToken(session.userData.dbtoken);
var databaseData = getUserDataFromDatabase(token);
https://docs.botframework.com/en-us/core-concepts/userdata/
Or, use a local database like NeDB: https://github.com/louischatriot/nedb This would be the most secure option, since the database would reside on your server.
Upvotes: 2
Related Questions
- Where should you store oAuth token data in a node.js app
- How to securely store the Access-Token of a Discord(OAuth2) User?
- Facebook chatbot and authentication
- Where should I store jwt token for authentication on server side
- Proper way to ship facebook token from client to server
- How to locally store user information when he is using facebook messenger chatbot?
- Facebook Messanger get access token for messenger app
- Facebook OAuth in Node.JS: storing the access token
- How should I store a token generated by a RESTful API?
- Application token/secrets when creating an OAuth API