PassportJS / NodeJS secure REST API with Google Auth - node.js

I have an application that uses passport with passport-google-oauth to allow Google Authentication with RESTful API endpoints.
I'm looking to create other applications (for example, a Chrome extension) that need to communicate with these API endpoints. How do I secure a REST API with Google authentication in passport? I read a lot of things on securing a REST API in general (i.e. if I had my own login), but how would I do it if my application relies on a third-party login? (ie. Google, Facebook, Twitter, etc.)
Thanks

Passport.js ONLY handles authentication -- it doesn't handle authorization at all.
What you'll want to do, if you want to authenticate a user to your webapp is use something like Google Oauth to let a user create an account on your webapp.
You'll then need to use a separate Passport.js strategy for handling developer authentication against your API service.
For instance, if you want a developer to authenticate against your API using Basic Auth, you could use this Passport strategy to allow this: https://github.com/jaredhanson/passport-http
Hopefully that makes sense!

Related

What is the difference between passport-google-oauth and passport-google-token?

I am trying to validate my node app using google. But I found these two modules being used in different tutorials. Could you please tell what the difference is between these two.
passport-google-token
On the npmjs.com page of both, i found the desc as Passport strategy
for authenticating with Google access tokens using the OAuth 2.0 API.
This module lets you authenticate using Google in your Node.js
applications. By plugging into Passport, Google authentication can be
easily and unobtrusively integrated into any application or framework
that supports Connect-style middleware, including Express.
passport-google-oauth
Passport strategies for authenticating with Google using OAuth 2.0.
Lead Maintainer: David Pate
This module lets you authenticate using Google in your Node.js
applications. By plugging into Passport, Google authentication can be
easily and unobtrusively integrated into any application or framework
that supports Connect-style middleware, including Express.
passport-google-oauth was made for express apps, so you can configure permissions, callback uri and request user data, all in the same place.
passport-google-token is made for REST APIs, so you handle authentication logic in front-end and then, you send google token to the back-end (node server) and there you can request user data using google token and grant access to your app using your own authentication mechanism (JWT, Bearer Token, etc.).

If i'm not using 3rd party logins/services, will Oauth2 make my bakcend api more secure than basic user/password auth

I am currently looking to create a private web app with separate front-end and back-end on AWS using nodejs without signup and 3rd part logins, so generated user and passwords. I have looked over a few post, seems Oauth2 only provide more security when I am allowing 3rd party login or services, because it is a authorization framework. so I have a few questions:
In my case, I don't think authenticate oauth2 token is anymore secure than authenticate hash password. So I don't need oauth2 am I correct ?
Other than SSL on transfer and then use session-token after user login, what other ways I can make the backend API more secure ?
Please provide links or examples(best with nodejs )
Thanks,

SPA ReactJS social registration with HelloJS and PassportJS

I'm facing a problem related to oauth authentication using NodeJS. The main concern is how to connect all to my current architecture. Lets me explain it a little bit.
I have a Cloud API which is a REST API to serve and manage the data. I also have the web client developed in ReactJS (an SPA). My main goal is to allow social authentication without redirect or without to leave the page. For this, I'm using HelloJS and the oauth proxy in the same Cloud API.
Taking for example my Facebook App, the workflow is like:
The user clicks signup with Facebook
The oauth proxy serve as "handshake".
Facebook sends back the token to the web app.
At this point, this approach is working perfectly for me. My main concern is how do I send the token to the Cloud API for registration?, obviously I could add a middleware in the Cloud API to automatically register the user in the database, however I still need to invoke the authentication from the web client in order to exchange that token for a JWT token.
Yes, I'm using JWT for communication with the REST API. I would like to allow local registration and social registration (Facebook, Twitter, and so forth).
It seems odd to me to trust in the token received from the web app without ensure that it is real and not expired. I thought to check it with passportjs.
Advices or recomendations?
Thanks.

securing a REST api for nodejs/express/passport

So we have our application in nodejs ready, implemented with passport as authentication framework on top of express/nodejs. The routes had been designed as REST API.
Now, there's a request to make the routes available as REST API to non-browser clients.
How would I go about implementing this when our app already works well with passport for authentication? Can passport be used for that? Or another framework, like Oauth? Would they be compatible or would I need to dismantle the passport code to implement with Oauth?
Coulnd't find relevant information yet.
I am not familiar with passport.js but most of the browser based server applications use sessions for user authentication. This is usually not the case for non browser based REST clients which use tokens to authenticate requests.
An Oauth server is implemented to issue tokens to different clients and these tokens are sent with each request. SSL is used to protect these tokens. In your case, you can add an Oauth middleware for REST clients while having the same end points as for your browser based application.

User authentication through my REST API and Facebook

I'm a bit confused about how to properly and securely authenticate users using my REST API and provide and option to authenticate using other OAuth 2.0 providers as well (e.g. Facebook, Google, etc.).
Scenario
Users interact with a web application which should consume my REST API. Users should be able to login and perform CRUD operations both using username/password and by using 3rd party services such as Facebook. I will be using SSL to encrypt the traffic to the website and the API.
Without taking the 3rd party login services in consideration and by studying the various questions already asked here on SO, I thought about handling user authentication as in the picture.
Technologies and current idea
The REST API is written using JS using NodeJS and Express. The WebApp provided through another NodeJS instance is mostly AngularJS with templates which consumes the REST API.
My current idea is to let the WebApp handle the login sequence and let Facebook save their token in my DB using the callback. But this solution smells too much of workaround!
Questions
Is the authentication sequence depicted in the image correct?
How is the above authentication sequence compared to the Resource Owner Password Credential flow in OAuth2.0? Is it worth using OAuth2.0 instead of it?
How can I integrate login through 3rd parties (i.e. Facebook)? Any suggestion or (better) example?
References
passport.js RESTful auth
Login with facebook and using oauth 2.0 for authentication of REST api calls
And many others here on SO :)
My 2 cents..
The process looks good to me.. I would re-issue the token on each sign in and also keep it inside a database so tokens can be revoked easily.
Use PassportJS. Its got support for OAuth flows and supports many 3rd party integrations like FB, Twitter, Github etc..and since its a nodejs middleware.. its integration will be very tight within your application..

Resources