NodeJS Authentication for Multiple RESTful API services

Question

I would like to seek help from you guys.

I have multiple RESTful API services running in NodeJS Express. Each API is hosted by different NodeJS with different port. And in our front-end, it is accessible via reverse proxy.

We are now moving to a secured services. However, there's a problem in authenticating with the services. The front-end should request 1 auth token upon login that can be used in accessing the internal API services (API is also accessible in our public domain /api/).

How can we solve this problem?

Current Setup

Answer 1

You could issue a signed JWT token upon login (see https://jwt.io/).

The front end application has to send the token back with each API call.

Each API server has to know in advance the key (public key or symmetric key depending on the type of the signature algorithm) and use the key to check the signature of the token is valid.

If it is valid, the API server knows it can trust the token content, and decide whether to serve the request. The token would contain the identity of the user, expiration time, ...

Note that signing the token does not encrypt the data: if you need to convey sensitive data through the token, it needs to also be encrypted

Thus it is not necessary to establish a session and then share the session across the many API instances. Knowing the key is enough to trust the token content

To pass the JWT in API calls you can use a header:

Authorization : Bearer theBase64EncodedToken

Of course, it is up to you to check if this scheme satisfies the security concerns related to your application.