I've been reading a lot about the topic but all I find are obsolete or partial answers, which don't really help me that much and actually just confused me more. I'm writing a Rest API (Node+Express+MongoDB) that is accessed by a web app (hosted on the same domain than the API) and an Android app.
I want the API to be accessed only by my applications and only by authorized users. I also want the users to be able to signup and login only using their Facebook account, and I need to be able to access some basic info like name, profile pic and email.
A possible scenario that I have in mind is:
Does this make sense? Does this approach have any macroscopic security hole that I'm missing? One problem I see using MongoDB to store these info is that the collection will quickly become bloated with old tokens. In this sense I think it would be best to use Redis with an expire policy of 1 hour so that old info will be automatically removed by Redis.
Use HTTPS/TLS for REST APIs HTTPS and Transport Layer Security (TLS) offer a secured protocol to transfer encrypted data between web browsers and servers. Apart from other forms of information, HTTPS also helps to protect authentication credentials in transit.
Under Products in the App Dashboard's left side navigation menu, click Facebook Login, then click Settings. Verify the Valid OAuth redirect URIs in the Client OAuth Settings section. state . A string value created by your app to maintain state between the request and callback.
In case you're wondering what OAuth2 is, it's the protocol that enables anyone to log in with their Facebook account. It powers the “Log in with Facebook” button in apps and on websites everywhere. This article shows you how “Log in with Facebook” works and explains the protocol behind it all.
I think the better solution would be this:
fb_access_token
given, make sure its valid. Get user_id
,email
and cross-reference this with existing users to see if its a new or old one.api_access_token
that you give back to the webapp and android app. If you need Facebook for anything other than login, store that fb_access_token
and in your DB associate it with the new api_access_token
and your user_id
.api_access_token
to authenticate it. If you need the fb_access_token
for getting more info, you can do so by retrieving it from the DB.In summary: Whenever you can, avoid passing the fb_access_token
. If the api_access_token
is compromised, you have more control to see who the attacker is, what they're doing etc than if they were to get ahold of the fb_access_token
. You also have more control over settings an expiration date, extending fb_access_token
s, etc
Just make sure whenever you pass a access_token of any sort via HTTP, use SSL.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With