Reputation: 439
restful service requires username and password to get the token, is it ok to save the credentials(user and pass) in server side nodejs?
I have a app which takes a csv from user, converts it to json and saves the json file in S3 bucket on AWS. Then I am using restful services from oracle to push that data to oracle jde.
User can't upload a file without being "approved" before hand - its a manual process for now, but their email needs to be added to S3 bucket first The web app checks if the email exists in S3 then allows the file upload to happen, if it doesn't exist then file upload is rejected.
I don't have any other "user authentication" set up for now.
Next, in order to get the token from the external API, I need to feed it a service account username and password, currently, since its still in development I am keeping the username and password on my server side nodejs in a object which I pass into the api call to get the token.
For the time being we don't plan on having user login, so that being said how can I secure the username and password but still be able to get a token for "authenticated emails allowed to upload"?
Basically, I assume just keeping it in variable server side node is not a good idea, so looking for another way of storing it somewhere and still being able to make the call to the api.
Upvotes: 0
Views: 249
Answers (2)
Reputation: 4659
For the time being we don't plan on having user login, so that being said how can I secure the username and password but still be able to get a token for "authenticated emails allowed to upload"?
You can't. Unless I'm misunderstanding something, those are not "authenticated emails", they are "pre-approved email addresses". You still need to authenticate your users to help secure the app.
So do I still hash and salt the hardcoded username and password and save to db?
You can't salt and hash your passwords because you're intending to reuse the original password. That puts the onus on you to secure the passwords. Don't play that game. Many people reuse the same passwords for lots of different accounts. Do you want to have to send an email to your users letting them know you had a security breach and that they need to reset all their passwords?
Upvotes: 1
Reputation: 4126
Basically, I assume just keeping it in variable server side node is not a good idea
That's right, it's not a good idea. For example what if your server dies? Then you'll loose that value. Not to mention the added cost of your RAM since everything will be stored in memory.
Solution
- Store the credentials in a database. It can be in SQL or NoSQL, and the server can be in whatever you prefer
Considerations
- Don't forget to hash the password before storing it
- Add some salt when hashing
- To validate a password, just hash the one you got from your client and compare it to the hash you stored in your database
- Use HTTPS for traffic between your client and server
Upvotes: 0
Related Questions
- Best practice for managing web service credentials for Node.JS?
- How to pass credentials through a fetch request
- Using your own credentials in Nodejs app, is it safe?
- What's the best way to store an auth token for a remote API in a NodeJS app?
- Storing and Using JWT & Secret Key
- Restful API and user session
- Rest API - Is it safe to get password in JSON response
- Node.js RESTFUL service self built auth
- How should I store a token generated by a RESTful API?
- Confusion about using REST API authentication in NodeJS