Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should I store a token generated by a RESTful API?

I have built an API that generates an authentication token for the users that log in. At this time I also have a client application written in Node.JS.
When I make the request with the user credentials from the client application to the API I get the authentication token: how should I store it in the client application? I'm not supposed to request a token every time I want to make a request for the API, correct?
I thought about putting the token in a Cookie, but I don't think that's the best solution. What would you recommend?

like image 446
IgorSousaPT Avatar asked Feb 23 '15 13:02

IgorSousaPT


People also ask

Where are REST API tokens stored?

Use a personal access token to access the Databricks REST API. You can store a personal access token in a . netrc file and use it in curl or pass it to the Authorization: Bearer header.

Where should I store my token?

# Tokens stored in localStorage are automatically protected from CSRF attacks, because localStorage items are not automatically sent to servers with each HTTP request. But they are vulnerable to XSS attacks, where they can be easily accessed by JavaScript.

Should I Store API tokens in database?

There is no need to store it. You can validate it and get the data from it that you required. If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie.


2 Answers

Upon successful login, a unique, one-use token should be created server side and stored in the database against a user id and timestamp. You store the token in a cookie client-side. You then pass the token up to every subsequent API call. The server should then check the token is valid (ie not expired, say issued or update less then say 30 minutes ago). If it is valid, you can retrieve the user details stored against that token and perform whatever backend functionality you need (as the user is authenticated). You then update the timestamp for that token (refresh the session as you want the login to time out after say 30 minutes of no user interaction). If a token is expired or non-existent when you get the API call, redirect to the login page.

Also, you probably know this already, but make sure the token is unique and non-guessable, I tend to generate new random GUIDs and encrypt them, do not use sequentail ids or anything like that.

like image 51
C. Ridley Avatar answered Oct 01 '22 17:10

C. Ridley


I think that this link could help you:

  • Implementing authentication with tokens for restful applications - https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/

In fact, you should have a token with an expiration date, so you don't have to get a new token each time before sending a request. When the token expires, you simply need to get a new one from a service "refresh token".

Regarding the question about how to store the token in the client application, I think that you could keep it in memory (map or embedded database).

Otherwise to finish, I don't think that it's a good idea to use cookies in such use case.

Hope it will help you. Thierry

like image 23
Thierry Templier Avatar answered Oct 01 '22 17:10

Thierry Templier