I am server side and using nodejs
I would like to check authentication of client request. I mean, I would like to check if it is valid or eligible person or not who send request to me(server).
what is the best way?
server~client authentication
I have not implemented this yet - have been working with oAuth for API validation - but will use something similar to this http://www.quietless.com/kitchen/building-a-login-system-in-node-js-and-mongodb/ for user log in/validation.
Related
Problem:
I want to create a webapp with VueJS and a custom backend with NodeJS (ExperssJS and PostgreSQL). It should be possible to login with a username and password. After a successful login, the user can access secured endpoints of the ExpressJS server.
Now I am thinking how I can securely authenticate HTTP requests after a successful login.
What I consider doing:
Using a JWT and providing it in the authentication header of every request.
When the user provides correct login data, the server creates a JWT and sends it as response to the client. The client stores the token and adds it to every HTTP request as the authorization header. Because the transport is secured with TLS (HTTPS) the token should not be visible while transporting. To provide a seamless user experience the token has to be saved at the client side, so the user does not have to authenticate for each request.
So my question is: How can I securely save a JWT token for further HTTP request authentication?
Possible options:
LocalSotrage - BAD IDEA! (not really secure)
Cookie - more security (but also not perfect)
Last thoughts:
Isn't there an "absolute secure" or a "best practice" method to handle authentication for such a scenario?
P.S. I am pretty new to this field, so please forgive me if i wrote something stupid :D I am also aware that there are a lot of tutorials on how to setup something like this, but what i want to know is, which technique is the best and most secure one.
Thanks in advance!
PassportJS also support using local strategy. You might want to take a look about it. here
If you are new then it's better to use already build user authentication flow like Google login, Discord Login etc.
There is a well known library called Passport JS which makes third party login system integration a breeze.
Actually I want to know that, what is the best way to secure my node js / express API from another application in which I'm calling the API from client side (Ajax call).
I know that, I could use JWT token based authentication, but I need to pass the Username and password to Node server to get token generated, I don't want to do this as I've already logged-in in an another application.
Any help / suggestions would be appreciated! Thanks.
So, you need to work with some Oauth server and your application before process the request sent to him must validate de token on that server.
But how it works?
In short terms, must exist in your application a middleware who will do a request to oauth server, after you receive that response (if will not with authentication error), you continue the process. If to exist a problem with the token or login, the oauth has the responsibility to block the process and return HTTP status 401 (when the user and pass wrong) or 403 (when the user doesn't have the permission to the resource).
Here are a few examples to follow.
I am building an application which needs to authenticate from another application (via api)which provides response status(success, failure) and an access-token.I need simple authentication where when user supplies correct credentials, I hit the api and save the authentication user name and access-token in session and have a persistent session.I have tried looking passport http and other strategies.But I don't think they serve this use case?Kindly let me know if I am wrong and what is the easy and effective way to achieve this.
You don't need store access-token in session.
The easiest way is use JWT (JSON Web Token) - http://jwt.io. When user sends username\password credentials to your API, you check if these credentials is correct. After that you are signing JWT and respond to the client.
When client sends to you signed access-token, you can check it with passport-jwt module - https://www.npmjs.com/package/passport-jwt.
I would like to implement a cross domain authentication system similar to StackExchange. Here is the flow that stackexchange uses:
Verify that the user is not authenticated.
Make a request to "/users/login/global", the server responds with a token.
Make a request to the stackauth.com/auth/global with the previously acquired token (in step 2). The server returns a javascript which is executed when loaded.
The javascript makes an other ajax request to the auth server with the token and returns an other token (authToken).
The client makes another request to "/users/login" with the authToken. The server returns a session cookie.
Before I try to implement it myself, I would like clarify some steps. How does the authentication server and the current stackexchange are interacting in the backend? What the first and the second token respectively do? Is there any security concerns I should be aware of?
I'm working on a client- server system where the client is an iphone app that communcates with the backend via SOAP messages.
Right now the client sends the username and password in the SOAP body with each request, which isn't good of course.
The solution to this needn't (in fact: can't) be too sophisticated, I just don't want to send the username and password around too much.
Would an "okay" solution be to let the client authenticate once with username/ pw, then receive a token that is valid for say 1 hour and has to be sent with every request?
What would be the 'best practice' for this scenario? WS- Security?
Using security token valid for a certain period is pretty common practice. Sending credentials with each request is certainly not recommended.
you can refer following links for more details:
https://softwareengineering.stackexchange.com/questions/83037/best-practices-for-expiration-of-tokens-in-a-security-token-service-sts
https://developers.google.com/accounts/docs/MobileApps