How to implement a secure REST API with node.js

by

I’ve had the same problem you describe. The web site I’m building can be accessed from a mobile phone and from the browser so I need an api to allow users to signup, login and do some specific tasks. Furthermore, I need to support scalability, the same code running on different processes/machines.

Because users can CREATE resources (aka POST/PUT actions) you need to secure your api. You can use oauth or you can build your own solution but keep in mind that all the solutions can be broken if the password it’s really easy to discover. The basic idea is to authenticate users using the username, password and a token, aka the apitoken. This apitoken can be generated using node-uuid and the password can be hashed using pbkdf2

Then, you need to save the session somewhere. If you save it in memory in a plain object, if you kill the server and reboot it again the session will be destroyed. Also, this is not scalable. If you use haproxy to load balance between machines or if you simply use workers, this session state will be stored in a single process so if the same user is redirected to another process/machine it will need to authenticate again. Therefore you need to store the session in a common place. This is typically done using redis.

When the user is authenticated (username+password+apitoken) generate another token for the session, aka accesstoken. Again, with node-uuid. Send to the user the accesstoken and the userid. The userid (key) and the accesstoken (value) are stored in redis with and expire time, e.g. 1h.

Now, every time the user does any operation using the rest api it will need to send the userid and the accesstoken.

If you allow the users to signup using the rest api, you’ll need to create an admin account with an admin apitoken and store them in the mobile app (encrypt username+password+apitoken) because new users won’t have an apitoken when they sign up.

The web also uses this api but you don’t need to use apitokens. You can use express with a redis store or use the same technique described above but bypassing the apitoken check and returning to the user the userid+accesstoken in a cookie.

If you have private areas compare the username with the allowed users when they authenticate. You can also apply roles to the users.

Summary:

sequence diagram

An alternative without apitoken would be to use HTTPS and to send the username and password in the Authorization header and cache the username in redis.

More Related Contents:

  1. No ‘Access-Control-Allow-Origin’ – Node / Apache Port Issue
  2. Understanding passport serialize deserialize
  3. Allow CORS REST request to a Express/Node.js application on Heroku
  4. ERR_HTTP_HEADERS_SENT: Cannot set headers after they are sent to the client
  5. TypeError: db.collection is not a function
  6. passport’s req.isAuthenticated always returning false, even when I hardcode done(null, true)
  7. Redirecting to previous page after authentication in node.js using passport.js
  8. passport.js passport.initialize() middleware not in use
  9. passport.js RESTful auth
  10. Using PassportJS, how does one pass additional form fields to the local authentication strategy?
  11. Node + Express + Passport: req.user Undefined
  12. How to know if user is logged in with passport.js?
  13. collection is not defined in mongodb
  14. Express.js req.body undefined
  15. Cannot overwrite model once compiled Mongoose
  16. How to separate routes on Node.js and Express 4?
  17. How to get all registered routes in Express?
  18. Cannot POST / error using express
  19. req.locals vs. res.locals vs. res.data vs. req.data vs. app.locals in Express middleware
  20. Cannot enqueue Handshake after invoking quit
  21. ExpressJS : How to redirect a POST request with parameters
  22. Print raw html strings on EJS
  23. How to create global variables accessible in all views using Express / Node.JS?
  24. How to send an html page as email in nodejs
  25. Deploy Nodejs on Heroku fails serving static files located in subfolders
  26. Model.find().toArray() claiming to not have .toArray() method
  27. What are “signed” cookies in connect/expressjs?
  28. Node.js, can’t open files. Error: ENOENT, stat ‘./path/to/file’
  29. Why POST redirects to GET and PUT redirects to PUT?
  30. Passing arguments to require (when loading module)

Leave a Comment