REST / Web based authentication-as-a-service a possibility? - node.js

I've developped a REST based service using Express and initially started implementing authentication myself. A simple username/password authentication where
passwords are encrypted using BCrypt
user info + hashed passwords are stored in a mongoDB
password verification checks are done.
authentication tokens (limited TTL) are generated / validated
I have some knowledge on Node.JS, but not nearly sufficient to make me feel comfortable about rolling out my own authentication (login/signup) mechanism.
For that reason I would like to replace my in-house mechanism with something else.
Something proven, extendable, pluggable and easy to use.
Given the amount of secure websites / REST APIs out there based on Node.JS, I'm sure there are out-of-the box solutions that people / companies have to offer that can get service implementors up and running very quickly, without having to worry about the security/user aspect.
I'm looking for an even higher level of abstraction than that of libraries like passport or everyauth. Something that provides out-of-the-box functionality, capable of fulfilling my requirements including :
providing a login page / signup page / profile page
different authentication modules (google,facebook,github,....)
storing user info (+credentials if required) in a datastore (mongoDB).
remember me
forgot password / reset password
So the question here is :
Are there out-of-the-box solutions like that available that offer a higher level of abstraction than passport/everyauth/... ?
If any, would you recommend some of these out-the-box solutions ?
Should I instead forget about the notion of outsourcing my user authentication and just start looking at passport and everyauth and start implementing my requirements using those libraries ?
Is it possible to focus on my business logic and not worry at all about any aspect regarding user authentication (writing login / signup pages , implementing forgot password / reset password flows, storing user info in the DB).

The service API should largely live independent of your authentication mechanism, so I'd recommend starting this behind a simple password protected folder or some such. In my opinion it would be better to make sure you're API works and can gain traction. Meaning it'll be more a long term project. Nothing kills a project quicker than focusing on the painful stuff right out of the box.
As far as what service to use? It's non-trivial to setup security well. So for a small startup project, it's probably more cost-effective to integrate with another service. Might take a look at Mozilla Persona. It's built on Node and pretty straight forward.
If you do try to roll your own get some outside expertise, and DON'T do stupid stuff like use a hashing algorithm like SHA1 to store passwords. Instead use something like bcrypt. Then there are other things like, don't store server logs on the server they're created. Pipe out all logs elsewhere so if there's an intrusion you have a forensics trail back to what happened.

I guess you could use https://stormpath.com/ . I'm looking for a free alternative myself..

Related

Nodejs Do I need to use Passport

Alright, so I'm currently coding a Web Application with Node.js, and I'm a bit stuck on how I should handle user logins/authentication.
Lots of tutorials seem to recommend using Passport for your authentication, but from all the documentation I've read, it seems to take a bit of setting up and it complicates the simple login I was expecting.
Whether or not I use Passport, I still plan on hashing my user passwords that are stored in the Mongo database.
So the question is, do I need to use Passport for security reasons, or can I just code an authentication system my self?
It's really up to you, if you don't need Facebook, Google, or Twitter logins or are fine coding your own, I would just build it from scratch.
I built an application that didn't need all the bells and whistles that Passport came with, but needed it's own security built in, and found it much easier to just make my own. It's so easy to include your security as middleware in node!
I think it depends your use.Generally set a password is necessary, and use passport is not complicated in Nodejs .Of course ,if your application is used in internal,password can be ignored.But I think security is provided.

Passport.js practical for simple login

I'm designing my user authentication system using Node.js/Express, and as I've been searching the web for authentication strategies, I noticed that a lot of developers recommend passport.js for helping with authentication.
My authentication will only ever use a username/password strategy with JSON web tokens. Under that assumption, it seems like I have to manage the entire authentication myself: I check the username and password against the database, and I check and attach JWTs. It seems like Passport only wraps my work inside it's own functions.
With only a username/password strategy, what use is Passport? What does Passport provide in this scenario that is of any real benefit over me just performing the authentication without it?
Passport give you more flexibility and scalability. Now, you need one specific strategy, but in future you can add additional or remove old one. Using modules like passport you cause that your application code is independent of some processes. It is almost like dependency injection, you inject strategy in opposite to hardcode this.
I thing, that good application should have as much as possible functions/modules, that allow to inject polices/strategies. Separate modules is also nodejs/express style.
If you code your authentication in same style, then it is super (but why reinventing the wheel).
Using passport you can inherit from base Strategy and create new one strictly for your needs and use it with other strategies.
Never. Ever. Implement. Your. Own. Security. Framework
Unless you actually want to implement a framework and you have all the resources in the world to do that, all the required knowledge and the key people ( like OWASP ) & etc etc.
Use existing lib for your project
Use a library, or a framework, that's open source and battle tested. Yes it will not be perfect and will have limitations. Yes it may not be the most secure code ever. BUT it will be much better than your own, especially if you're starting from scratch.
Then follow best practices for CSRF, XSS, DDoS & other kind of attack prevention.

Spring security substitute for Node.js

Is there a substitute for spring security in Node.js. I know of express and passport, but passport provides authentication only. It does not feature "forgot password", "reset password" or crud operations for User and Role.
In other words, passport lacks of a number of commonly used features that are provided by spring security. Is there any Node.js library that provides these features.
I know it's already mentioned in the question but for anyone else brand new to Node coming here from google and skipping right to the answers like I did:
http://www.passportjs.org
Looks like the most widely used free library that is somewhat comparable to Spring Security, although as the original question points out it is only focused on authentication so it doesn't cover every feature Spring Security has (like role based authorization).
https://auth0.com
https://stormpath.com
and tons of others. Just google "User Managment" node.js
Or at the end of the day write you own. Writing user management is sails takes about an hour and they have integration with things like Mandril for sending forgotten notices.
Although spring security is one of the bests open source security frameworks, the features: "forgot password" and "reset password" aren't implemented by default. You will need to create your views pages and controllers for it. The default User and Role are very basic models of security that are recommended just for a very basic web apps. In most cases you will need to save and manage it in your database and customize all features for reset and forgot password. It can become very complex as you customize your security rules.
For node there are so many options out there, I agree with #KPD the most equivalent of SpringSecurity is passportjs (18.7k stars on github), although it is much simpler than SpringSecurity, sometimes the secret to success lies in simplicity.

Going Live - Any best practice check list and how to increase security on an MVC Site?

I have been building quite a few MVC based websites locally and am finally ready to deploy the first, but, I am getting rather nervous.
During testing, I noticed several things that worried me - I am using the default forms authentication with a few tweaks (although nothing to the underlining security).
I noticed that if I created a user in one application and logged in, then launched another application... it would keep me logged in* as the user from the previous application. The user doesn't even exist in the new application!
* - I used [Authorize] on controllers, and was surprised I could just get straight in without any sort of authentication
I assume it is because the cookie is being set for localhost instead of the application/port (although, not too much I can do about this in development).
Based on this, how secure is the default authentication?
1. Is there anyway to check from the code that the user doesn't have a "faked" cookie? / Check the user has logged in from my application?
2. I was just wondering if there are any sort of check lists or anything I can go through before deploying?
Sort of - 3.As of writing this, For question 1. I am guessing I could add a column with a random number that is saved to the cookie, and then that number is checked every time any authentication is done... however, I did not want to start mucking around with the membership provider... but I think this could work. Is this a good idea?
Try using IIS on your machine instead of VS Dev Server. Solves your problem 1.
Other than that I don't think you will need any extra effort to make default membership mechanisms of asp.net to make more secure if of course you don't need a real custom things to do in your projects. These things are around for a while now and I think they have been well tested in terms of security.
You just need to remember to put [Authorize] attribute to right places. If not on your controllers put them to right methods.
Basic Web Authentication shouldn't be trusted for applications which contain truly sensitive information. That being said it's sufficient for most applications. Be sure to check your application as often as possible before and after release for XSS vulnerabilities.
Here is Microsoft's recommended "Secure yourself" list. http://msdn.microsoft.com/en-us/library/ff649310.aspx
No matter how strong your authentication is, one small XSS mistake and a malicious user can do as they wish to your site, and your users data!
I recently read a good book: Worx Professional ASP.NET, it talks about these steps in more detail on securing yourself as well as exposing examples of problems. After reading this I was able to "deface and steal" my own sites information with relative ease, was a good eye opener on the importance of securing for XSS.

How should I implement session management/authentication on Tomcat with future OAuth implementation in mind?

I'm working on a web site and I plan to use strictly OAuth in for user authentication. I've never implemented session management/user authentication before; and so - naturally - I'm reading up on a lot of how tos to get this done.
The problem I'm running into is that a lot of examples out there for doing things like setting up your realm, authenticator, etc etc seem to rely on the user/password paradigm for authentication. The whole point of going for OAuth is to avoid this in the first place!
That being said; I'm actually not looking for examples of full OAuth implementations right now. I understand that I need to understand that for myself. BUT with a future OAuth implementation in mind; how should I structure my user authentication/session management FOR THE TIME BEING in a way that will allow me to move forward on developing the functionality on my site that I really care about? I suppose I could throw some stuff together for that; but I'm just afraid that down the road I will be shoe horning an OAuth implementation as opposed to do something now which allows me to lay down the basic framework for it and then move on to other things.
So; does anyone know of a good example of laying the groundwork for OAuth on Tomcat 7? For example, which authentication mechanism (Basic, digest, etc) I should use or how I should represent user credentials in my database?
I know that this is kind of a vague question; so I'm not expecting someone to come out and tell me all of the answers I need to know. I'm just looking to get pointed in the right direction here.
Perhaps Spring Security would be useful? Your webapp could leverage Spring Security and use whatever login mechanism you need (i.e., you could do the default form-based authentication or Basic Auth for now, and replace the login/auth piece with an OAuth implementation when you're ready), but still have Spring Security manage authorization to particular resources in your webapp.
Someone has also built OAuth for Spring Security, so it may be a useful addition to your web app all around.

Resources