I'd like to secure a restful Api, and I'm trying to keep it as simple as possible, as well as being stateless.
What is the optimal way to store, generate, and authenticate api keys? I was thinking about generating keys with node-uuid, storing them in redis, and then authenticating them with passport-apikeys.
Would this work? Or is there another optimal solution that I'm missing.
I have been reading up on this a good amount, but a lot of resources are missing the actually implementation, like this post
-
Can you please explain us how your plan fits in an "stateless" approach? It looks to me it is notDalorzo– Dalorzo2014年05月03日 20:28:52 +00:00Commented May 3, 2014 at 20:28
-
I don't want to have to keep track of sessions, I just need to check if they have a key or not.user2758113– user27581132014年05月03日 20:30:00 +00:00Commented May 3, 2014 at 20:30
-
Isn't that what a session does?Dalorzo– Dalorzo2014年05月03日 20:30:40 +00:00Commented May 3, 2014 at 20:30
-
From your question it's hard to understand how the user gets their keys ? Passport-apikeys sounds good, make sure you correctly using the keys and also allow regeneration.Risto Novik– Risto Novik2014年05月03日 20:54:20 +00:00Commented May 3, 2014 at 20:54
1 Answer 1
Your solution sounds OK to me, but not that secure enough I'm afraid. I'd like to suggest you sign the request with the key, so that you can protect your API from tampering. So you need to generate a key pair, let's say access id and access key, to the user who is going to use your API. The HTTP request will have two sections, one is the access id, the other is a signature that calculate the whole request content by the access key. But access key should never by passed through HTTP. So in server side you can check the signature of the HTTP request by the access key stored in Redis.
You can use Node.js Crypto module for this. http://nodejs.org/api/crypto.html#crypto_class_hmac
Hope this helps a bit.
1 Comment
Explore related questions
See similar questions with these tags.