Edit - Stack Overflow

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

Required fields*

How to implement a secure REST API with node.js

I start planning a REST API with node.js ,express and mongodb. The API provides data for a website (public and private area) and maybe later a mobile app. The frontend will be developed with AngularJS.

For some days I read a lot about securing REST APIs, but I don’t get to a final solution. As far as I understand is to use HTTPS to provide a basic security. But how I can protect the API in that use cases:

Only visitors/users of the website/app are allowed to get data for the public area of the website/app
Only authenticated and authorized users are allowed to get data for private area (and only data, where the user granted permissions)

At the moment I think about to only allow users with a active session to use the API. To authorize the users I will use passport and for permission I need to implement something for myself. All on the top of HTTPS.

Can somebody provide some best practice or experiences? Is there a lack in my "architecture"?

Answer*

I've had the same problem you describe. The web site I'm building can be accessed from a mobile phone and from the browser so I need an api to allow users to signup, login and do some specific tasks. Furthermore, I need to support scalability, the same code running on different processes/machines.

Because users can CREATE resources (aka POST/PUT actions) you need to secure your api. You can use oauth or you can build your own solution but keep in mind that all the solutions can be broken if the password it's really easy to discover. The basic idea is to authenticate users using the username, password and a token, aka the apitoken. This apitoken can be generated using [node-uuid][1] and the password can be hashed using [pbkdf2][2]

Then, you need to save the session somewhere. If you save it in memory in a plain object, if you kill the server and reboot it again the session will be destroyed. Also, this is not scalable. If you use haproxy to load balance between machines or if you simply use workers, this session state will be stored in a single process so if the same user is redirected to another process/machine it will need to authenticate again. Therefore you need to store the session in a common place. This is typically done using redis.

When the user is authenticated (username+password+apitoken) generate another token for the session, aka accesstoken. Again, with node-uuid. Send to the user the accesstoken and the userid. The userid (key) and the accesstoken (value) are stored in redis with and expire time, e.g. 1h.

Now, every time the user does any operation using the rest api it will need to send the userid and the accesstoken.

If you allow the users to signup using the rest api, you'll need to create an admin account with an admin apitoken and store them in the mobile app (encrypt username+password+apitoken) because new users won't have an apitoken when they sign up.

The web also uses this api but you don't need to use apitokens. You can use express with a redis store or use the same technique described above but bypassing the apitoken check and returning to the user the userid+accesstoken in a cookie.

If you have private areas compare the username with the allowed users when they authenticate. You can also apply roles to the users.

Summary:

![sequence diagram][3]

An alternative without apitoken would be to use HTTPS and to send the username and password in the Authorization header and cache the username in redis.


 [1]: https://github.com/broofa/node-uuid
 [2]: http://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2_password_salt_iterations_keylen_callback
 [3]: https://i.sstatic.net/Kbttf.png

Draft saved

Draft discarded

Edit Summary*

Cancel

1

I also use mongodb but it's pretty easy to manage if you save the session (accesstoken) using redis (use atomic operations). The apitoken is generated in the server when the user creates an account and sent it back to the user. Then, when the user wants to authenticate it must send username+password+apitoken (put them in the http body). Keep in mind that HTTP doesn't encrypt the body so the password and apitoken can be sniffed. Use HTTPS if this is a concern for you.

Gabriel Llamas
– Gabriel Llamas

2013年03月20日 10:03:37 +00:00
Commented Mar 20, 2013 at 10:03
1

what's the point on using an apitoken? is it a "secondary" password?

Salvatorelab
– Salvatorelab

2014年02月14日 12:13:19 +00:00
Commented Feb 14, 2014 at 12:13
2

@TheBronx The apitoken has 2 use cases: 1) with an apitoken you can control the access of the users to your system and you can monitor and build statistics of each user. 2) It's an additional security measure, a "secondary" password.

Gabriel Llamas
– Gabriel Llamas

2014年02月14日 18:01:53 +00:00
Commented Feb 14, 2014 at 18:01
1

Why should you send the user id again and again after successfull authentication. The token should be the only secret you need to perform API calls.

Axel
– Axel

2014年06月28日 07:43:17 +00:00
Commented Jun 28, 2014 at 7:43
1

Idea of the token - beside abusing it for tracking user activity - is, that a user ideally does not need any username and password for using an application: The token is the unique access key. This allows users to drop any key at any time affecting only the app but not the user account. For a webservice a token is quite unhandy - that's why an initial login for a session is the place where the user gets that token - for a "regular" client ab, an token is no problem: Enter it once and you'r almost done ;)

Axel
– Axel

2014年06月28日 07:44:23 +00:00
Commented Jun 28, 2014 at 7:44

| Show 8 more comments

How to Edit

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

How to Format

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »

How to Tag

A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.

complete the sentence: my question is about...
use tags that describe things or concepts that are essential, not incidental to your question
favor using existing popular tags
read the descriptions that appear below the tag

If your question is primarily about a topic for which you can't find a tag:

combine multiple words into single-words with hyphens (e.g. python-3.x), up to a maximum of 35 characters
creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you

popular tags »

lang-js

CollectivesTM on Stack Overflow

How to implement a secure REST API with node.js

Answer*