I am writing a mobile app, and its corresponding RESTful API in NodeJS.
Is it possible to make my RESTful API only usable from my app?
I have done some research, and found posts like this. But it is kinda irrelevant to my needs.
I think the simplest thing will be to hardcode secret key in your application and send it with each request. Also use ssl to protect this key. The only way to get it then will be reverse engineering of your app.
You also you can use bearer tokens, something like OAuth and OAuth2.
Related
I worked with Next-auth before but I also used the built in next API feature. When used with next API, I can protect my APIs. The problem is now I am using an external node.js API. The token is created in the front end and this leaves my node API endpoints exposed. Is there something I'm missing here? How should I do this? Or tell me if there is a better way. Thanks a lot!
You should not generate any JWT tokens in the frontend as that is way to insecure. Better to work if a dedicated and separate authorization service that generates the token for you. Either you host one your self or use a third party solution like Auth0 to generate the tokens for you.
Today more and more moves towards using the BFF pattern to further secure their SPA applications.
I'm kinda new to backend development and wanted to start by creating a small API with authentication and authorization that could function as an API for a blog for different frontend implementations.
I set up an API with ExpressJS and MongoDB and created a working API so I can post blog-posts, retreive all or single blog posts, etc.
Now I wanted to add Authentication and instead of using JWT or something, I thought, it could be cool to have my users sign in via their Google-Account to post/delete blog posts, etc. Does that even make sense? I hope it does because in my head it should not differ too much from using JWT for example.
I added passport.js and it's google-oauth2 strategy.
I'm already able to create users by signing in via google, but my problem lies in the way to authenticate correctly for login and subsequent API requests.
Would I use the access- and refresh-token that I receive back from google for that? At least thats what I first thought of.
But how would that work? And next up: What if I wanted to add another way to authenticate? For example JWT or maybe Facebook-OAuth? Wouldn't that cause some issues when trying to protect my API routes because I would have different ways of authenticating (and what kind of middleware would I use then for my routes?)
I hope I made my problem clear :)
I have created an API with NodeJS and Swagger that works well, but anybody can call it and I want to restrict it to the users that have a valid API Key. Are there any best practices that I need to use for securing the API? Just adding the api key in the request? Generating a token and adding it to the request header?
That makes oauth is born.
Look at https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
I'm building an Node API, together with a Javascript client Application.
I was wondering if there are benefits to implementing OAuth, if I am also using HTTPS.
What if I just send username + password on each request instead of implement OAuth?
As far as I know, HTTPS encrypt the client-server communcation. But I might be missing something importatn.
I'm not going to allow third-party apps to access my API.
OAuth is authorization framework, so you are not getting any security over your API calls by default, especially if you are using OAuth2 which is most likely the case. If you don't need to authorize third party apps, then you don't need it.
If you want to secure your API though, then take a look at hawk, using just Basic authentication is a bit naive.
I'm creating a REST API server with Node.js and Express + MongoDB.
This API will have different mobile clients (iOS, Android) and possibly a web app later on.
I need users to login in order to perform some API requests. There are no 3rd party apps I want to connect with (no Facebook, Google etc). I also don't want to force the users to visit a webpage or anything like that in order for them to login.
From what I've seen on my many searches on SO, the best approach would be to let users login with full credentials once, send them a token in return, and use that token to verify future requests until it expires.
However, I'm not sure how to implement this.
I'm very confused with all of the different strategies. Is this done with basic authentication over HTTPS, with OAuth, OAuth 2.0, ... ? I just don't know what to use.
Also, I really don't want to reinvent the wheel here, not because I'm lazy, but mainly because of security concerns. Is there a library I could use to implement this? I've heard of Passport, but I couldn't understand if this is doable or not. This sounds like such a generic thing I'm sure there's a simple solution out there.
Thanks!
Now you can use Passport.js with JWT (JSON Web Tokens) with Passport-JWT. It's pretty easy to use.
Once a user is logged in, you send a token to the user. The token contains data about the user, like an id (encoded, of course). On the subsequent requests (at least where authentication is required) you make sure, that the client sends the token. On the server, you can see who sent the request (and e.g. check the user's authorization), just by looking at the token. For more info on how JWT work check this out.
There are different ways to send the token. Just have a look at the docs and it'll be clear. If not, this also helped me.
I feel you need to setup a Token Based Authentication process in your server, so you can make requests from different types of clients (Android, iOS, Web, etc.). Unfortunately, Passport documentation (and Passport-based tutorials) seems to be aimed for "web applications" only, so I do not think you should be using it for those purposes.
I did something similar following this great tutorial: http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543
The client part in this tutorial is based on AngularJS, but can easily apply the same principles in a mobile client (it is just a matter of making HTTP requests including a token retrieved when you post in "/signin" or "/authenticate").
Good luck!
There is an example of RESTful service with oauth2 authentication: https://github.com/vedi/restifizer-example. I hope it will help.