I worked with Next-auth before but I also used the built in next API feature. When used with next API, I can protect my APIs. The problem is now I am using an external node.js API. The token is created in the front end and this leaves my node API endpoints exposed. Is there something I'm missing here? How should I do this? Or tell me if there is a better way. Thanks a lot!
You should not generate any JWT tokens in the frontend as that is way to insecure. Better to work if a dedicated and separate authorization service that generates the token for you. Either you host one your self or use a third party solution like Auth0 to generate the tokens for you.
Today more and more moves towards using the BFF pattern to further secure their SPA applications.
Related
Due to the lack examples of oauth2 in node.js, I can't decide where to implement the oauth2 service. Also, I wanna know what is the meaning of provider in oauth2 and when to create a new one and when to use a pre-made one like google.
I tried to implement a provider in the server-side but I didn't know how to test it.
If there are any useful resources I would be happy to take them.
You should use Open Id Connect (Authorization Code Flow + PKCE) in your Angular app. You should validate OAuth 2.0 access tokens in your API. Both of these components should interact with a 3rd party Authorization Server. There is a learning curve and my tutorial + code sample may help you - feel free to post back if you get stuck: https://authguidance.com/2017/09/24/basicspa-overview/
oauth2 provider means wich service to use to auth, eg server-side will mean the user creates an account on your Server, google would mean users sign in with their google accoutns to your site.
I am doing a project with angular as the front end and nodejs as the backend.
The database and authentication mechanisms are managed by firebase cloud.
The problem is i am stuck with the authentication mechanism.
It seems there are a lot of ways we can manage authentication using firebase.
I want my backend to deal with the authentication part, and i am using a email and password ecosystem for authentication.
But it seems that there is 2 npm packages one for angular firebase and another one for nodejs firebase-admin.
I am in a mess to determine what method to use and how to use it effectievly to manage the authentication flow here, due to overflow of resources.
There seems to be signInWithUserNameAndPassword in firebase and there seems to be signInWithCustomToken in the firebase-admin.
Can anyone show me the right path to go through?
I looked at this answer but i don't know why we need to pass the token back to client and then pass it to admin side again for verification?
The client side in my app is a web project.
Is there any mistake on my understanding?
Thank you in advance
You will use signInWithUserNameAndPassword method. A token will be returned to you which you can store in localStorage which is security wise a bad idea but is okay for simple projects for practice. Alternatively, you can use angular-persistence or similar libraries to persist your state. Then, you can authenticate a user with whether his/her token is present in state or not.
firebase-admin doesn't support any user authentication APIs. So you must do your authentication at the client-side using the firebase package, and the signInWithEmailAndPassword() API it provides: https://firebase.google.com/docs/auth/web/password-auth
I am writing a mobile app, and its corresponding RESTful API in NodeJS.
Is it possible to make my RESTful API only usable from my app?
I have done some research, and found posts like this. But it is kinda irrelevant to my needs.
I think the simplest thing will be to hardcode secret key in your application and send it with each request. Also use ssl to protect this key. The only way to get it then will be reverse engineering of your app.
You also you can use bearer tokens, something like OAuth and OAuth2.
I'm building an Node API, together with a Javascript client Application.
I was wondering if there are benefits to implementing OAuth, if I am also using HTTPS.
What if I just send username + password on each request instead of implement OAuth?
As far as I know, HTTPS encrypt the client-server communcation. But I might be missing something importatn.
I'm not going to allow third-party apps to access my API.
OAuth is authorization framework, so you are not getting any security over your API calls by default, especially if you are using OAuth2 which is most likely the case. If you don't need to authorize third party apps, then you don't need it.
If you want to secure your API though, then take a look at hawk, using just Basic authentication is a bit naive.
I am creating a node.js webapp to access GettyImages API using 'Client Credentials Flow'
Does passport.js support it? if yes, how can I implement that?
passport is typically used to authenticate users on your web site. If your (web) app is calling an external API (e.g. gettyimages), and it is authenticating itself to such external system, then you probably don't need it (and won't need any framework either). The client credential flow is a simple POST:
This is taken from their docs:
POST https://api.gettyimages.com/oauth2/token HTTP/1.1
Host: api.gettyimages.com
Content-Type: application/x-www-form-urlencoded
client_id=abc123&client_secret=yoursecret&grant_type=client_credentials
Full docs here
The previous answer by #eugenio-pace is 6 years old, and since then a bunch of things have changed.
Regarding access to GettyImages API with client credentials you can either:
Still make a direct API call. This example (though in Python) shows how.
Use a GettyImages client SDK for your language. There are a number of them, but here in gettyimages-api_nodejs client credentials are explained for NodeJS.
Using option 2 above you can continue to work with the API client. If client credentials were obtained by a REST call you can use PassportJS with the passport-oauth2 to build your access logic.
PassportJS comes with many Strategies nowadays and it is worth checking first to see if other alternatives are a better choice for you.
Cool thing is that if you want to build a full OAuth2 provider solution then PassportJS can facilitate you too. Client credentials in that case are provided through the passport-oauth2-client-password strategy (based on oauth2orize) and is demonstrated in this example.
Another popular package to implement an OAuth server besides oauth2orize is oauth2-server.