Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

node.js REST api authentication and oauth2

I have several questions:

1) Is it a good practice to use REST API both for external API usage and as a server side for a backbone (or plain js) frontend? I think it's much easier to code one REST API server and use it as a backend.

2) If I write my webapp authentication with oauth 2 standard is it a good way to store my secret token in cookie? I think this will cause CSRF vulnerability.

As i see passport.js uses cookies to store secret token for example for Facebook or twitter... What's about CSRF in this case?

like image 360
Shadowfax Avatar asked Mar 18 '13 08:03

Shadowfax


People also ask

Should I use OAuth2 or JWT?

If you want to provide an API to 3rd party clients, you must use OAuth2 also. OAuth2 is very flexible. JWT implementation is very easy and does not take long to implement. If your application needs this sort of flexibility, you should go with OAuth2.

Can OAuth2 be used for authentication?

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user's data.


1 Answers

This is a very interesting question, I'm surprised nobody answered yet.

1) To the first question, my answer is definitely yes ! You don't want to write 2 times the API logic.

What you could do is to use different URLs.

Eg. For the public api, you use http://api.domain.com/objects/ whereas concerning the internal one, you could use http://domain.com/api/objects/ or whatever you prefer.

Then you use the same logic, but with different authentication strategies. Public one with authentication token, like many popular APIs (Twitter, Facebook etc.) and Private one using passport.js's logs.

The good thing about separating is :

  • You separate security issues
  • You can control access bandwidth if your app transfers a lot of data (and you want to give a higher priority to you app ... well probably !)
  • Or simply you can control authorizations (Eg. no DELETE through public API)

2) I'm not a security guru, but I would definitely trust passport.js authentication system, as it is widely used when using node as a backend.

You could refer to this question for implementing CSRF security in express : How to implement CSRF protection in Ajax calls using express.js (looking for complete example)?

Or another strategy is to use a refresh token if you use FB or Twitter connect strategies.

Hope it helps.

like image 188
Augustin Riedinger Avatar answered Oct 27 '22 06:10

Augustin Riedinger