All geek questions in one place

Node Express - storage and retrieval of authentication tokens

I have an Express application setup and need advice on storing tokens.

I get the access token from the OAuth 2 server after authenticating the user account, which I then need to use for subsequent api requests.

I want to hide the token value from the client, and I believe that one way to do this is to save the token on the server in an encoded cookie, so that when additional requests are received they can be redirected through middleware and the cookie can then be used to extract the saved side marker, and then used as the value of the header in the current request to the actual endpoint api.

Someone already asked this question - How to save an authentication token in an Angular application. This is exactly the thread that I work with in my application, but the answer says about using the Angular service, and I'm not sure that I would like to do this, of course, all this can be processed by Express, so the client-side code should not know about token, just any API server errors come back.

So, the flow summary, I think I need:

  • User sends login credentials
  • OAuth 2 server returns access token
  • The token is stored somewhere in Express, with an id key of type
  • A cookie is generated and sent back in response to the client. Cookie contains token value encoded, maybe? Or maybe the identifier for the value of the token stored in the Express middleware component?
  • The client executes an api request that creates the Express Route middleware.
  • Express checks for a cookie and either decodes the value of the token, or somehow retrieves it from the server side of the storage engine.
  • The token value is then used as the header between the direct and the endpoint api

Maybe there is already middleware that handles this similar thing, I already saw PassportJS, which seems to be the kind that I can use, but I'm not sure if it handles the OAuth2 token on the server I work against (providing a password ) and instead seems to be more suitable for an OAuth stream to enter a redirect.

I probably need to store the token value somewhere in Express, so some form of storage (not in memory, I don't think).

I am new to Express, so I will be grateful for any suggestions / tips on how to approach this.

thanks

+5
source share
1 answer

The safest way to do this is the same as you described:

  • Get the OAuth token from a third-party service (Google, Facebook, whatever).
  • Create a cookie using Express and save this token in a cookie. Make sure you also set the secure and httpOnly cookie flags when doing this: this ensures that the cookie CANNOT READ using client-side Javascript code or any non-SSL connection.
  • Each time a user makes a request to your site, this cookie can be read by your middleware in Express and used to create any API calls that you need for a third-party service.

If your service also needs to make asynchronous requests to Google / Facebook / etc., when the user does NOT actively click on your site, you should also store your token in your user database - this way you can make requests on behalf of the user when you need to.

I am the author of express-stormpath , Node auth library (similar to Passport), and so we do there to ensure maximum security!

+5
source

Source: https://habr.com/ru/post/1240156/

More articles:


All Articles