According to my use case,
I want expose a REST api(auth micro-service) that allows users to signup, sign in and do basic auth operations. So basically when a client calls /auth/login endpoint with username, password server code should authenticate user against Cognito and send response back to client with JWT(access token). Rest api written in Node.js.
I have gone through various docs but I am only seeing examples of using the frontend/mobile SDKs to accomplish this. Is there a better way to accomplish this? or can use existing javascript SDK in Node.js to achieve this?
Thanks!
Related
I have a nestJS app that allows a user to interact with my MongoDB, mostly CRUD operations. However, this is hosted on Heroku which means that anyone can send requests and perform operations on my database.
What I would like to achieve is to have only users who have a valid token be able to use the API. The users would have to send their requests with a token v1/search/errors?token=INSERTTOKENHERE
However, all the docs I've read are getting a user to login to a frontend like you would login to Facebook or YouTube. I have a frontend but the users of the API will be applications and not people so I don't want them to have to interact with a frontend. Ideally, I can just generate a token for the application and then only apps with a token can interact.
I have searched far and wide and have not found anything like this but every public API I have used behaves like this. Any links to docs that explain how I can achieve this would be appreciated.
Thanks
Tokens are a way to identify unique and authenticated users. Login attempt is mandatory for creating a token. You need a Guard implemented to verify each user on API request. Login from a front end Application is not mandatory. You can login from postman sending the right body elements.
When a user logs in, I store the login variable in redux but when we hit the api request then firstly react.js checks the authentication using redux if loggedin then the node.js checks the authentication and returns the api.
Isn't it unnecessary using authentication on both sides? Why can't I just use authentication on server side only?
Your thoughts please on what should I follow.
I think you need not to authenticate both side. You have to just send token in headers (authentication) of every API and create middleware for authenticate user for API in nodejs.
there are multiple ways to implement authentication in you're front end projects though the most common way to do this is by using JWT (json web tokens) however for using this type of authentication you need to implement OAuth, OpenID connect or similar authentication service on you're backend .
ps: I recommend storing you're login credentials in cookies
I am currently developing an API project using ClaudiaJS API Builder to build and deploy it on AWS Lambda with it's endpoints exposed on AWS API Gateway. I am planning to have at least a webapp and a mobile app for this platform, so I'm focusing mostly everything on API's, including the authentication methods(signup, signin, logout, verify account, ect.).
Unfortunately, as I am not using Express in this project, I can't find a good way to build these auth methods since every library I find has some dependency on Express (e.g PassportJS).
My initial thoughts for the login workflow are:
User submits login form containing user/pass stored in PostgreSQL
DB.
Front app calls auth API.
API method compared credentials against the user DB (Using BCrypt).
In case of success, API method generates JWT containing a few user details on it's payload and returns to the consumer app.
Is there any good approach for achieving this goal without using Passport and/or Express? Are there any other libs for this purpose or should I just use a regular db query and generate a JWT in case the evaluation succeeds?
Thanks for everyone in advance.
Best regards,
Enrico Bergamo
So I am creating a REST API that will do database queries and send data for my android app in node js. However I want to use some kind of authorization when doing these requersts. Which methods could I use to do this stuff? Thanks in advance :)
There are a few option but I would look at JWT token authentication for this. You'd have the user enter something like a username/pass in the android app then send this securely to your server which will return a token of whatever duration you desire. That token is then sent for every api request - usually in the headers.
Google "Node auth jwt token" and you should get some articles such as this.
I suggest using passport.
It supports many common authentication strategies, including http bearer, google, facebook, etc. You can also define your own strategy. Have a try!
I am creating a node.js webapp to access GettyImages API using 'Client Credentials Flow'
Does passport.js support it? if yes, how can I implement that?
passport is typically used to authenticate users on your web site. If your (web) app is calling an external API (e.g. gettyimages), and it is authenticating itself to such external system, then you probably don't need it (and won't need any framework either). The client credential flow is a simple POST:
This is taken from their docs:
POST https://api.gettyimages.com/oauth2/token HTTP/1.1
Host: api.gettyimages.com
Content-Type: application/x-www-form-urlencoded
client_id=abc123&client_secret=yoursecret&grant_type=client_credentials
Full docs here
The previous answer by #eugenio-pace is 6 years old, and since then a bunch of things have changed.
Regarding access to GettyImages API with client credentials you can either:
Still make a direct API call. This example (though in Python) shows how.
Use a GettyImages client SDK for your language. There are a number of them, but here in gettyimages-api_nodejs client credentials are explained for NodeJS.
Using option 2 above you can continue to work with the API client. If client credentials were obtained by a REST call you can use PassportJS with the passport-oauth2 to build your access logic.
PassportJS comes with many Strategies nowadays and it is worth checking first to see if other alternatives are a better choice for you.
Cool thing is that if you want to build a full OAuth2 provider solution then PassportJS can facilitate you too. Client credentials in that case are provided through the passport-oauth2-client-password strategy (based on oauth2orize) and is demonstrated in this example.
Another popular package to implement an OAuth server besides oauth2orize is oauth2-server.