Many articles and tutorials use .env to store environment variables in the frontend, however, in a productive application, this is an unsafe practice as the tokens are exposed in the browser. Knowing this, what would be the best way to secure these tokens, such as a backend API token?
Related
I'm using an external API in my backend that uses oauth2 for authentication&authorization. I need to authenticate and get an access token back which will then be used for further requests to that API.
What is the best practice to store these kind of access tokens on the server side? Just in the database? Which seems weird since they expire. Is there a best practice for this?
Storing the the database seems excessive. I would store it in the environment variable instead:
process.env.ACCESS_TOKEN
but keep in mind, when your server restarts, it will be cleared.
actually I am going to implement jwt authorization in my first react app and i have gone through many articles and all of them suggesting storing the token in local storage which somehow I am not finding it secure as the token is visible. So two solution came into my mind which obviously is not the best solution that y i am here asking the question
Solution
1. Generating the jwt token on my react side on every API request, but for doing this I have to use secret key on my client-side which obviously is a BAD IDEA exposing the secret key.
2. Having two express app one running the react app and one running the api, the api call from my react app will hit the react express side in where i will generate the token and hit the actually api with the token, i know its little confusing hope you guys understood what i am trying to explain.
That's what I have thought and I know both the solution are not a good one, so it would be very helpful if some of you suggest me how u have done authorization in you app
Indeed, not a great idea to expose your secret key
Why use multiple express apps for this? You can authenticate directly in your "react express" app
This is a great article on React, Express and JWT
About storing the JWT in the browser (you primary concern), there isn't a definitive answer. This article explain benefits and cons of storing in cookies or in local/session storage. But you need to store it in the browser also, as you need to send it with each request.
Token being visible is not necessarily a security thread. The principle is that it cannot be manipulated, even when someone has it (for example to change the expiration date).
I am planing to make a simple admin CP. Im oldschool PHP developer where usually all is in one huge monolith server and concept of microservices does not apply.
In my next app I would like to have:
Express UI (Frontend) <----> REST/GraphQL API <-----> DB server
The idea is to limit access to DB as much as possible. All requests from users would go to frontend only and API would be used only internally by other servers in my solution.
I will set up IP filters between API and DB, and likely between Frontend and API. But my concern is - say I want one admin to create a product. While this user will be authenticated on frontend using sessions, I need requests going to API to be somewhat authenticated too. Ignoring IP filters for now, do not want just about anybody to be able to send REST requests to API.
I have several ideas, please give me your opinion:
sharing express-session between API and frontend using mongodb (likely on yet another server) - I see latency issues
putting API service on same server as frontend and use redis to share sessions - kinda defeats the purpose of microservice separation
on login, generating jsonwebtoken that is always fwded between frontend and API for any user action - cookie stealing will be an issue, since i can only verify user logged in, not that he authorized certain action to be performed
on login, sending private key to admin and have him sign all requests that are fwded to API - this looks like a CPU overkill
Is there any generally used solution I am missing? Is separating frontend and API mitm overkill, or a good practice? I could easily merge the 2 and talk to DB directly from frontend, then i can manage everything with sessions just like with PHP.
Thanks for any inputs! Cheers
A more elaborate implementation of (1) is the use of a session server. The idea is to purely remove database lookup latency but not the bottleneck of session lookup in general. It acts as a caching layer. A zero coding implementation is to use something like redis or memcache as the session storage.
In general though, a cryptographic signing mechanism like JWT would be much more scalable because it involves zero I/O lookup. All you do is verify that the token is properly signed. And as long as you keep your application secret safe you're secure. You can even encode things like user roles and permissions directly in the token to completely avoid querying the database for it.
The key idea of JWT is that all the security is hidden in the backend. The front-end only echos back the token to the server as proof of authentication.
But since the front-end stores the token, it can be hijacked by javascript. One solution is to use HttpOnly cookies as the mechanism to transmit the tokens. I've even seen implementations where the main part of the token is sent in the Authorization header but the signature is sent in a HttpOnly cookie. This prevents scripts from being able to read the entire token.
I have a bunch of questions about express-session and JWT in a project that I am building.
I have an Express API server that I want to protect using some sort of API key, to make sure only authorized applications can access to my data. JWT would probably get the job done. However I also need to authenticate users and restrict them from accessing certain parts of the data (e.g. role-based permissions) using express-session.
The frontend server would be a Next.js instance, which would save and use the cookies for express-session. The session would be stored in a MongoDB instance.
Would I be able to use both authentication methods in the same project? Would it be secure? Is there any easier approach to this? How could I implement the permissions?
Any help and tips would be appreciated.
JWT and Express-Session both accomplish the same thing. The difference is a browser does not allows a http-only cookie to be accessible through javascript. At then end they are both used for the same end.
The jwt should be related to a session of a user, therefore the users permissions are the ones that matter. These can be implemented in a DBs and related to the user. Does he has this permission or does his role has this permission is the middleware you would put on the routes.
In case of doing it with express-session, I would personally take the same approach.
I am writing a mobile app, and its corresponding RESTful API in NodeJS.
Is it possible to make my RESTful API only usable from my app?
I have done some research, and found posts like this. But it is kinda irrelevant to my needs.
I think the simplest thing will be to hardcode secret key in your application and send it with each request. Also use ssl to protect this key. The only way to get it then will be reverse engineering of your app.
You also you can use bearer tokens, something like OAuth and OAuth2.