I have studied RESTful authentication many times, and still cannot understand how I can design my web architecture. I have many unanswered questions.
I want my API to be served on both mobile devices and the Internet, and I use Express v4.
I donβt want to use basic authentication, as many posts offer as a simple way out, or I can use Passport middleware, but I want to use token-based authentication or something similar or better, and I want to do my authentication so I can better understand, but I'm not sure how to achieve this.
Below I will simplify the proposed authentication architecture:
New User Registration
Send username and password to the server (I know that if you want to make a secure connection, use the https connection, or will I provide my credentials, or do you have any other options besides https? Or will I need to use open and private keys with timestamp and hash of my credentials before sending to the server? How can I do this? Is there any other better option?
Hashed the password using salt cryptography and stored the hashed password and salt, then generated the token identifier and sent it to the client, and the token identifier was stored in sessions or using the REDIS database?
Doesn't this use session violate REST again? But if I do not use sessions, how can I save the token identifier and compare it with the client side?
Since I now have a token id, how can I store it on the client side?
- Should I use a cookie? If so, will this violate RESTful? And how can my mobile app store cookies?
- What other options can I have besides cookie? I canβt think of anything.
Authorization API
Now I have a token id, and I will put it in the authorization header every time I want to send a request to the server.
When the request is received, the server will check the token API and compare it with the session token, if it is correct, the request is allowed, otherwise reject
Is this the standard way to authorize Express applications?
I apologize for the long post, but I feel that I really have to master authentication and authorization, because it is important. I really hope someone can correct my misconception about REST authentication and answer my questions or offer me a better way to do this.