ExpressJS API Token Authentication

Question

I'm using ExpressJS and am trying to figure out the best (and most secure) way for me to authenticate a user as the iPhone app sends requests.

1. Should I use PassportJS with the Passport Bearer strategy to log users in and validate users?
2. In the Passport Bearer strategy working example here, it shows that they're finding the user by a token which is part of the User object. I assume that means I would be storing the token the User is using as a column in the Users table?
3. Is the standard to also use sessions with token authentication? And if it is the standard, should I be having the client pass in the sessionId, and search for the user that way?
4. For security reasons, should I also have the client pass in a privateKey which is checked against the privateKey stored in my config file

Answer 1

1) yes you can go that way

2) you can do that way but today I guess everyone is going with JWT (jwt.io) which basically are tokens with data in it, so basically you can authenticate with those, without even querying the DB. In the token, you could even have permissions scopes and check them every time you need an authenticated action. Example: https://github.com/DevAlien/Axolot/blob/master/lib/helper.js

3) If you use a token authentication I would not use Sessions. You don't need state.

4) I guess not

Answer 2

look at here: https://www.npmjs.com/package/tokens2 Tokens2 is a token based authentication module that works based on two tokens: 1- json web token (jwt) ensures the used is logged in is a valid user 2- access token which makes sure the user is not invalidated This protocol works based on a short time to live jwt token. The access token is persisted in a database which never expires unless we invalidate the user. JWT suffers from token invalidation and has serious issues for mobile users.