Restful API Authentication and Session management for Express.js

Question

I have been researching on RESTful authentication alot, and I still can't get a very clear idea, how can I design my web architecture. I have many questions that are unanswered.

I want my API to be served to mobile and web too and I am using Express v4.

I don't want to use Basic Authentication, as many posts have suggested as a simple way out, or I can use the Passport middleware, but I want to use token based authentication or something similar or better,and I want to make my authentication, so I could understand better, but I am not sure how can I achieve it.

I will simplify my intended authentication architecture below:

Registration of a new user

• Client side

Post username and password to server (I know if you want to make the connection secured is to use https connection, or else I will expose my credentials, or you got any other options besides https? or else I will need to use the public and private key with timestamp and hash my credentials before sending to server? How can i do this? Is there any other better option?

• Server side

Hashed the password using salt cryptography, and stored the hashed password and salt, then generate a token ID and sent to the client, and the token ID is stored in sessions or using the REDIS database?

Isn't that using sessions violates REST again? But, if I don't use sessions, how can I store the token ID and compare it with the client side?

• Client side

Since now I have the token ID, how can I store on client side?

1. Should I use cookie? If yes, will this violate the RESTful? And how can my mobile application store the cookie too?
2. What other options can I have besides cookie? I can't think of any.

Authorizing API

• Client side

Now, I have the token ID, I will place this in the authorization header each time I would like to make a request to the server.

• Server side

When a request is received, the server will check the token API, and compare it with the session token, if it is true, request allow else reject

Is this a standard way for Express application authorization?

I am sorry for the lengthy post, but I feel that I should really master the authentication and authorization because it is important. I do hope someone can correct my misconception of REST authentication and answer my questions or suggest me a better way to do it.

Answer 1

• Send the user credentials encoded over https
• To compare the token at the client side you can either keep it in map or in Redis store corresponding to user id and match it to consider user authenticated. It does not kills the significance of Rest as in Rest as well authorization tokens are sessions only which after expiry
• Express does not have any specific or standard method of authorization , it only enables you to use any db in backend to perform authentication and authorization as required by your application