Home / Questions / 24786
Accepted
Kevin AB
Asked: 2020-09-24 03:58:26 +0800 CST 2020-09-24 03:58:26 +0800 CST

Query about protection of apis and sessions in nodejs

  • 772

My query is the following, I want to manage user sessions, that is, an account, each have their own things, I also want to protect my apis, doing some research, I have seen that I can use jwt in nodejs together with sails to manage sessions , I have also seen that with passport I can do it, now well, with respect to apis protection I have seen that it can be done with jwt.

-For those who have already worked with it, what other alternatives exist to manage sessions (I see that passport is discontinued) and according to your experience, which one would you choose for it, the same for API protection.

nodejs

2 Answers

  1. Best Answer

    To start with, we should discuss the difference between a session and a token-based authentication system . JSON Web Token in this case.

    The main difference is that JWT is stateless, that is, the server does not maintain the state of the communicating client. On the other hand, sessions do. That said, with sessions the client is authenticated only once (at least until the session expires) but the server needs to keep a minimum amount of data from that client to maintain the session, on the other hand a token needs to be sent in each request to the server to authenticate/validate the request.

    Think of the tokens as a club bracelet, (which you have previously bought), you can enter and leave the club as many times as you want, as long as you present the bracelet at the entrance. At that point, it is the responsibility of the club to be able to validate the bracelet, that is, to know if it is original, and you have not made it yourself. The club does not care where you bought it, what your name is, or how many times you have entered and left, it only matters to be able to define if the bracelet (token) is true. All this in the context of authentication of course.

    For an API, using JSON Web Token has several advantages:

    • JWTs are self-contained , they carry information within themselves, such as user information for example. This can save you database queries.

    • They can be easily transferred everywhere. This is useful, for example, if you have several microservices and you want several clients (a web application and a mobile application) to authenticate with the same token. It is enough that the servers involved know the saltone that was used to apply the hash on the token.

    • Since it is a standard, you can use it with different types of platforms and programming languages.

    If you are using expressjs. A good starting point would be express-jwt.

    • 1

  2. I see that passport is discontinued

    Although there is still no official statement from Jared Hanson, it can be deduced that there is from the date of the last commit (May 04).

    Doing it with JWT is really very simple. You only need to generate a token and a middleware that checks the token in each request to the API.

    Benefits

    • Scalability: tokens are stored on the client but not on the backend as we would if we were using sessions. Thus the application tends to become more scalable.
    • Security: as it is not stored in cookies we have a security plus against CSRF attacks, we already prevent the session from being manipulated.
    • Simplicity: since the token goes as a header in each request, we do not need to do anything more than check the integrity of the token.

    Example

    The first thing we need to do is authenticate the user. For this we map a route in our API for it; let's https://example.com/api/authsay

    Required packages - express - body-parser - method-override - jsonwebtoken - bcrypt-nodejs

    Authentication and token creation

    import express from 'express';
import jwt from 'jsonwebtoken';
import bcrypt from 'bcrypt-nodejs';

const Router = express.Router();

Router.post('/auth', (request, response) => {
  User.findOne({ name: request.body.name })
    .then(user => {
      if(!user) {
        return response.json({
          success: false,
          message: 'Usuario inexistente'
        });
      }
      if(!bcrypt.compareSync(request.body.password, user.password)) {
        return response.json({
          success: false,
          message: 'Contraseña incorrecta'
        });
      }
      const token = jwt.sign(user, app.get('phrase'), {
        expiresInMinutes: 720 // 12 horas
      });

      return response.json({
        success: true,
        message: 'Usuario logueado',
        token
      });
    });
});

export default Router;

    Middleware

    Next, we have to write the middleware to check the token on each request.

    import express from 'express';
import jwt from 'jsonwebtoken';

const Router = express.Router();

Router.use((request, response, next) => {
  const token = req.body.token || req.query.token || req.headers['x-access-token'];
  if(token) {
    jwt.verify(token, app.get('phrase'), (err, decoded) => {
      if(err) {
        return response.json({
          success: false,
          message: 'Token inválido. ¿Intentas bypassearme? >:|'
        });
      }
      request.decoded = decoded;
      next();
    })
  } else {
    return response.json({
      success: false,
      message: 'No hay un token asociado a esta petición'
    });
  }
});
export default Router;

    Finally you associate that middleware with the API url:

    app.use('/api', AuthMiddleware);
    • 0