Nodejs authorization approaches










0















Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js







share|improve this question
























  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37
















0















Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js







share|improve this question
























  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37














0












0








0








Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js







share|improve this question
















Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js




javascript node.js






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 29 '18 at 23:33









Sam

2,21411927




2,21411927










asked Nov 14 '18 at 21:31









AlinAlin

188112




188112












  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37


















  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37

















This is usually done using some combination of HTTP headers and/or cookies.

– TypeIA
Nov 14 '18 at 21:37






This is usually done using some combination of HTTP headers and/or cookies.

– TypeIA
Nov 14 '18 at 21:37













2 Answers
2






active

oldest

votes


















1














First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
 function(req, res) 
 res.send(req.user.id);
 
);





share|improve this answer
































    -2














    Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



    app.post('/api/login', function(req, res) 
     var user_id = "someid-1354654";
     res.cookie("user_id", user_id);
     res.send("hello there. I've just set a cookie.");
    );


    When a new request comes in, check if the cookie is (still) there:



    app.get('/api/settings/:settings_id/emails', function(req, res) 
     if(req.cookies.user_id == "someid-1354654")
     res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
     else
     res.send("you don't have access.");
    );


    It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






    share|improve this answer

























    • Couldn’t anyone just change their user_id cookie and imitate other users??

      – XaxD
      Nov 15 '18 at 2:24











    • @XaxD not if you set them to httpOnly

      – Yeysides
      Nov 15 '18 at 2:28











    • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

      – Sam
      Nov 15 '18 at 11:12










    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53309030%2fnodejs-authorization-approaches%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



    You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



    app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
     function(req, res) 
     res.send(req.user.id);
     
    );





    share|improve this answer





























      1














      First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



      You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



      app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
       function(req, res) 
       res.send(req.user.id);
       
      );





      share|improve this answer



























        1












        1








        1







        First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



        You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



        app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
         function(req, res) 
         res.send(req.user.id);
         
        );





        share|improve this answer















        First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



        You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



        app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
         function(req, res) 
         res.send(req.user.id);
         
        );






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 15 '18 at 4:17

























        answered Nov 15 '18 at 2:04









        YeysidesYeysides

        75411021




        75411021























            -2














            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






            share|improve this answer

























            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12















            -2














            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






            share|improve this answer

























            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12













            -2












            -2








            -2







            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






            share|improve this answer















            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Nov 15 '18 at 11:09

























            answered Nov 14 '18 at 22:09









            SamSam

            2,21411927




            2,21411927












            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12

















            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12
















            Couldn’t anyone just change their user_id cookie and imitate other users??

            – XaxD
            Nov 15 '18 at 2:24





            Couldn’t anyone just change their user_id cookie and imitate other users??

            – XaxD
            Nov 15 '18 at 2:24













            @XaxD not if you set them to httpOnly

            – Yeysides
            Nov 15 '18 at 2:28





            @XaxD not if you set them to httpOnly

            – Yeysides
            Nov 15 '18 at 2:28













            @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

            – Sam
            Nov 15 '18 at 11:12





            @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

            – Sam
            Nov 15 '18 at 11:12

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53309030%2fnodejs-authorization-approaches%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Top Tejano songwriter Luis Silva dead of heart attack at 64

            Image
            Ramiro Burr's New Blog - to go back: www.ramiroburr.com From Latin rock to reggaeton, boleros to blues,Tex-Mex to Tejano, conjunto to corridos and beyond, Ramiro Burr has it covered. If you have a new CD release, a trivia question or are looking for tour info, post a message here or e-mail Ramiro directly at: musicreporter@gmail.com Top Tejano songwriter Luis Silva dead of heart attack at 64 By Ramiro Burr on October 23, 2008 8:40 AM | Permalink | Comments (12) | TrackBacks (0) UPDATE: Luis Silva Funeral Service details released Visitation 4-9 p.m. Saturday, Rosary service 6 p.m. Saturday at Porter Loring, 1101 McCullough Ave Funeral Service 10:30 a.m. Monday St. Anthony De Padua Catholic Church, Burial Service at Chapel Hills, 7735 Gibbs Sprawl Road. Porter Loring (210) 227-8221 Related New Flash: Irma Laura Lopez: long time record promoter killed in accident NewsFlash: 9:02 a.m. (New comments below) Luis Silva , one of the most well-known and prolif
            Read more

            ReactJS Fetched API data displays live - need Data displayed static

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box; 0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, browser gets not responding because it gets a lot of requests. What I need just get a first snapshot of live data. Same goes for: var date = new Date; return (<p>date.toLacaleString()</p>) It gets live time (ticking every second) :D I just need date and time at that moment when it gets requested (snapshot). reactjs date time static axios share | improve this question edited Nov 16 '18 at 16:18 Sung M. Kim 17.9k 33 112 165 asked Nov 16 '18 at 13:39 Laurynas Žilinskas Laurynas Žilinskas 8 4 add a comment  |  0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, brow
            Read more

            政党

            Image
            政治主題的一部分 政党政治 政治光譜 左派 極左 中間偏左 中间派 中間偏左 激進中間 ( 英语 : Radical centrism ) 中間偏右 右派 中間偏右 極右 政綱 極端 激进 ( 英语 : Political radicalism ) 温和 ( 英语 : Moderate ) 改良 混合 ( 英语 : Syncretic politics ) 第三位置 保守 原教旨 反动 政党制度 无党制 ( 英语 : Non-partisan democracy ) 一党制 一党优势制 兩黨制 多黨制 联盟 ( 英语 : Coalition ) 懸峙國會 信任與支持 ( 英语 : Confidence and supply ) 少數派政府 聯合政府 大聯合政府 聯合政府 National unity government ( 英语 : National unity government ) Majority government ( 英语 : Majority government ) 列表 各國執政黨 政治意識形態 政治主題頁 查 论 编 系列条目 政治 基本主题 各国政治 政治经济学 政治史 ( 英语 : Political history ) 世界政治史 ( 英语 : Political history of the world ) 政治哲学 政治体系 无政府主义 城邦 民主制 联盟制 ( 英语 : Federacy ) 封建制 独裁制 委员会制 精英政治 君主制 议会制 总统制 半总统制 神权政治 学术门类 政治学 (政治学家) 国际关系学 (理论) 比较政治学 公共行政 官僚制 (基层) 灵活组织机构 ( 英语 : Adhocracy ) 政策 公共政策 ( 原则 ( 英语 : Public policy doctrine ) ) 公共利益 外交政策 政府机构 权力分立 立法机构 行政机构 司法机构 选举机构 相关主题 主权 政治行为理论 ( 英语 : Theories of political behavior ) 政治心理学 生理与政治导向 ( 英语 : Biology and political orientation ) 政治组织 ( 英语 : Political organisation ) 下属系列 选举制度 选举(投票) 联邦主义 政府 意识
            Read more