So we have our application in nodejs ready, implemented with passport as authentication framework on top of express/nodejs. The routes had been designed as REST API.
Now, there's a request to make the routes available as REST API to non-browser clients.
How would I go about implementing this when our app already works well with passport for authentication? Can passport be used for that? Or another framework, like Oauth? Would they be compatible or would I need to dismantle the passport code to implement with Oauth?
Coulnd't find relevant information yet.
I am not familiar with passport.js but most of the browser based server applications use sessions for user authentication. This is usually not the case for non browser based REST clients which use tokens to authenticate requests.
An Oauth server is implemented to issue tokens to different clients and these tokens are sent with each request. SSL is used to protect these tokens. In your case, you can add an Oauth middleware for REST clients while having the same end points as for your browser based application.
Related
I am currently implementing a API project using express-js.
There are multiple clients for the API. This includes a front-end web app and some backend services.
I am looking at using a normal session based management for authentication using express-session.
I am preferring this over jwt since session based + secure cookies is easier for many use cases which I would need need
Ability to revoke user access from server side
Allow only single active web session for a user
I am sure I can maintain a separate persistance table with userid + refresh_token + access_token to achieve the above.
Its just that session based gives me these in straightforward.
Now when it comes to my daemon services, I would still like them to go via API route. This will be more like Client Credentials Flow.
Since these are non-http clients, cookies will not be supported.
I am not sure how my app can API's continue to support both of them ?
The only option I have now based on readings on various blog sources is to use JWT in the cookies for the web front end and using JWT as bearer in header.
This means that
I will need to implement all the security mechanisms like token black-listing, regenerating refresh_token etc.
I will potentially lose out on main benefit of JWT of statelessness.
What are the options I have to ensure that my API layer can support both front-end web apps like react/angular and other micro services
The standard solution here is to use an API gateway:
APIs receive JWT access tokens regardless of the client, and validate them on every request
Browser clients have their own routes to APIs, and send cookies that contain or reference tokens
Mobile clients call API directly, but with opaque access tokens
APIs call each other inside the cluster using JWTs, typically by forwarding the original token from the web or mobile client
The API gateway can perform translation where required. Here are a couple of related articles:
Phantom Token Pattern
Token Handler Pattern
Done well, all of this should provide a good separation of concerns and keep application code simple.
When a user logs in, I store the login variable in redux but when we hit the api request then firstly react.js checks the authentication using redux if loggedin then the node.js checks the authentication and returns the api.
Isn't it unnecessary using authentication on both sides? Why can't I just use authentication on server side only?
Your thoughts please on what should I follow.
I think you need not to authenticate both side. You have to just send token in headers (authentication) of every API and create middleware for authenticate user for API in nodejs.
there are multiple ways to implement authentication in you're front end projects though the most common way to do this is by using JWT (json web tokens) however for using this type of authentication you need to implement OAuth, OpenID connect or similar authentication service on you're backend .
ps: I recommend storing you're login credentials in cookies
I am trying to validate my node app using google. But I found these two modules being used in different tutorials. Could you please tell what the difference is between these two.
passport-google-token
On the npmjs.com page of both, i found the desc as Passport strategy
for authenticating with Google access tokens using the OAuth 2.0 API.
This module lets you authenticate using Google in your Node.js
applications. By plugging into Passport, Google authentication can be
easily and unobtrusively integrated into any application or framework
that supports Connect-style middleware, including Express.
passport-google-oauth
Passport strategies for authenticating with Google using OAuth 2.0.
Lead Maintainer: David Pate
This module lets you authenticate using Google in your Node.js
applications. By plugging into Passport, Google authentication can be
easily and unobtrusively integrated into any application or framework
that supports Connect-style middleware, including Express.
passport-google-oauth was made for express apps, so you can configure permissions, callback uri and request user data, all in the same place.
passport-google-token is made for REST APIs, so you handle authentication logic in front-end and then, you send google token to the back-end (node server) and there you can request user data using google token and grant access to your app using your own authentication mechanism (JWT, Bearer Token, etc.).
I'm working on an application using sails. web and mobile.
I want to use CSRF protection that sails provides when the app is visiting on the web. And if a request is send by the mobile app. send with the payload a jwt.
On the sails' documentation I found a property csrf.routesDisabled that disabled the CSRF for some routes. But that is not what I want. I'm trying to find a way to for example, check if the parameter jwt is send in the post request. And if the parameter was send then check and validate it. else, check for _csrf value of the form. Is this possible?
or the csrf protecction works before any information is send to the server?
my better choose is use jwt in the web app too?
any other good idea for solving this problem is welcome
thanks
Sounds like you've built the web app with SailsJS and you're trying to reuse the controller actions as REST endpoints for external applications.
Really what you should do, is decouple the data access from the front-end. Have an isolated REST API - using token authentication - which is used by both a web front-end (and any other applications).
For example, I'm currently working with a SailsJS REST API, used by an EmberJS front-end and an iOS app. Both front ends login using user credentials, in order to receive an authentication token. This token is then used for any future requests. A policy locks down all but the login authentication endpoint, to validate the token
I have an application that uses passport with passport-google-oauth to allow Google Authentication with RESTful API endpoints.
I'm looking to create other applications (for example, a Chrome extension) that need to communicate with these API endpoints. How do I secure a REST API with Google authentication in passport? I read a lot of things on securing a REST API in general (i.e. if I had my own login), but how would I do it if my application relies on a third-party login? (ie. Google, Facebook, Twitter, etc.)
Thanks
Passport.js ONLY handles authentication -- it doesn't handle authorization at all.
What you'll want to do, if you want to authenticate a user to your webapp is use something like Google Oauth to let a user create an account on your webapp.
You'll then need to use a separate Passport.js strategy for handling developer authentication against your API service.
For instance, if you want a developer to authenticate against your API using Basic Auth, you could use this Passport strategy to allow this: https://github.com/jaredhanson/passport-http
Hopefully that makes sense!