5

I'm building a JSON RESTful API built with node.js and express.js,

the API will be accessed both by client side AJAX calls (from Ember.js) and by a native Android mobile app (standard HTTP requests).

I'm looking into two things:

1) authentication - how to know which user is accessing the API, in development I used an API key for each user and passed it in the request header

2) security - how to make sure only real authenticated users access private data.

are API keys a good strategy both for native mobile clients and for AJAX calls ? (user sends user+pass to the API and receives an API key, which is then used for creating additional requests)

should I be looking at something like OAUTH (1 or 2) ? I currently don't have plans for 3rd party applications to access the API so I don't need Authorization, but this can change in the future.

does it mean that I need to have my own OAUTH provider server ?

Improve this question
3
  • OAuth would be a good existing and generic solution for your problem that solves a number of possible future problems as well. Is there any reason for you not to use it? Commented Dec 13, 2012 at 11:12
  • I don't have any experience with OAuth so I asked about the strategy first.. do I need to run my own OAuth provider server ? Commented Dec 13, 2012 at 11:54
  • Did you get the answer now? I have the same puzzle. Commented Aug 18, 2014 at 3:50

1 Answer 1

Reset to default
0

You may use the express.js sessions for normal authentication with a session key stored in the session store. For compatibility with non-cookie REST calls, you may use an additional field, "mySessionId", added to the query or to the body of the request. Then modify your authentication verification to check for that extra field. Perhaps an example would be more useful:

In express:

var server = express.createServer(); server.use(express.cookieParser()); server.use(express.session(sessionInfoObject)); server.get("/path/to/endpoint", function(request, response) { if(typeof(request.query.mySessionId) != "undefined") { // authenticate with the session id in mySessionId // eg: if (getSession(request.query.mySessionId).isAuth) {} } else { // session authentication, use request.session // eg: if (getSession(request.query.mySessionId).isAuth) {} } });

If you choose to go down this path, make sure that when you authenticate the user, you also add user-related data in the session. It will make your life a lot easier. Example:

if(authenticated) { request.session.isAuth = true; request.session.customId = customId; }

There are alternatives, but this is the one that i find easiest.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.