Nodejs authorization approaches










0















Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js







share|improve this question
























  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37
















0















Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js







share|improve this question
























  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37














0












0








0








Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js







share|improve this question
















Before I have to say that I've found some post related this question but not fully answered.



So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.



/api/login


you get response with token. now you can request resource with this token
for example.



api/posts/:user_id


get all your posts...No problem! query with mongoose findBy.. bla bla!



so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.



but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!



example



api/settings/:settings_id/emails


imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?






javascript node.js




javascript node.js






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 29 '18 at 23:33









Sam

2,21411927




2,21411927










asked Nov 14 '18 at 21:31









AlinAlin

188112




188112












  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37


















  • This is usually done using some combination of HTTP headers and/or cookies.

    – TypeIA
    Nov 14 '18 at 21:37

















This is usually done using some combination of HTTP headers and/or cookies.

– TypeIA
Nov 14 '18 at 21:37






This is usually done using some combination of HTTP headers and/or cookies.

– TypeIA
Nov 14 '18 at 21:37













2 Answers
2






active

oldest

votes


















1














First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
 function(req, res) 
 res.send(req.user.id);
 
);





share|improve this answer
































    -2














    Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



    app.post('/api/login', function(req, res) 
     var user_id = "someid-1354654";
     res.cookie("user_id", user_id);
     res.send("hello there. I've just set a cookie.");
    );


    When a new request comes in, check if the cookie is (still) there:



    app.get('/api/settings/:settings_id/emails', function(req, res) 
     if(req.cookies.user_id == "someid-1354654")
     res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
     else
     res.send("you don't have access.");
    );


    It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






    share|improve this answer

























    • Couldn’t anyone just change their user_id cookie and imitate other users??

      – XaxD
      Nov 15 '18 at 2:24











    • @XaxD not if you set them to httpOnly

      – Yeysides
      Nov 15 '18 at 2:28











    • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

      – Sam
      Nov 15 '18 at 11:12










    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53309030%2fnodejs-authorization-approaches%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



    You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



    app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
     function(req, res) 
     res.send(req.user.id);
     
    );





    share|improve this answer





























      1














      First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



      You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



      app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
       function(req, res) 
       res.send(req.user.id);
       
      );





      share|improve this answer



























        1












        1








        1







        First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



        You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



        app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
         function(req, res) 
         res.send(req.user.id);
         
        );





        share|improve this answer















        First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.



        You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.



        app.post('/settings/:settings_id/emails', passport.authenticate('jwt', session: false ),
         function(req, res) 
         res.send(req.user.id);
         
        );






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 15 '18 at 4:17

























        answered Nov 15 '18 at 2:04









        YeysidesYeysides

        75411021




        75411021























            -2














            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






            share|improve this answer

























            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12















            -2














            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






            share|improve this answer

























            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12













            -2












            -2








            -2







            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.






            share|improve this answer















            Instead of keeping track of the user_id in javascript in the browser, save it to a cookie upon login. Using express.js that would be



            app.post('/api/login', function(req, res) 
             var user_id = "someid-1354654";
             res.cookie("user_id", user_id);
             res.send("hello there. I've just set a cookie.");
            );


            When a new request comes in, check if the cookie is (still) there:



            app.get('/api/settings/:settings_id/emails', function(req, res) 
             if(req.cookies.user_id == "someid-1354654")
             res.send("congrats, your user_id is still known to me: " + req.cookies.user_id);
             else
             res.send("you don't have access.");
            );


            It would be better to use some module like Passport, but this way you'll get the basics of authentication and cookies.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Nov 15 '18 at 11:09

























            answered Nov 14 '18 at 22:09









            SamSam

            2,21411927




            2,21411927












            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12

















            • Couldn’t anyone just change their user_id cookie and imitate other users??

              – XaxD
              Nov 15 '18 at 2:24











            • @XaxD not if you set them to httpOnly

              – Yeysides
              Nov 15 '18 at 2:28











            • @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

              – Sam
              Nov 15 '18 at 11:12
















            Couldn’t anyone just change their user_id cookie and imitate other users??

            – XaxD
            Nov 15 '18 at 2:24





            Couldn’t anyone just change their user_id cookie and imitate other users??

            – XaxD
            Nov 15 '18 at 2:24













            @XaxD not if you set them to httpOnly

            – Yeysides
            Nov 15 '18 at 2:28





            @XaxD not if you set them to httpOnly

            – Yeysides
            Nov 15 '18 at 2:28













            @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

            – Sam
            Nov 15 '18 at 11:12





            @XaxD and make sure the user_id is hard to guess. Or generate a random token that changes every time the user makes a new request.

            – Sam
            Nov 15 '18 at 11:12

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53309030%2fnodejs-authorization-approaches%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Top Tejano songwriter Luis Silva dead of heart attack at 64

            Image
            Ramiro Burr's New Blog - to go back: www.ramiroburr.com From Latin rock to reggaeton, boleros to blues,Tex-Mex to Tejano, conjunto to corridos and beyond, Ramiro Burr has it covered. If you have a new CD release, a trivia question or are looking for tour info, post a message here or e-mail Ramiro directly at: musicreporter@gmail.com Top Tejano songwriter Luis Silva dead of heart attack at 64 By Ramiro Burr on October 23, 2008 8:40 AM | Permalink | Comments (12) | TrackBacks (0) UPDATE: Luis Silva Funeral Service details released Visitation 4-9 p.m. Saturday, Rosary service 6 p.m. Saturday at Porter Loring, 1101 McCullough Ave Funeral Service 10:30 a.m. Monday St. Anthony De Padua Catholic Church, Burial Service at Chapel Hills, 7735 Gibbs Sprawl Road. Porter Loring (210) 227-8221 Related New Flash: Irma Laura Lopez: long time record promoter killed in accident NewsFlash: 9:02 a.m. (New comments below) Luis Silva , one of the most well-known ...
            Read more

            天津地下鉄3号線

            Image
            天津地下鉄3号線 3号線の電車 基本情報 通称 ? 現況 営業中 国 中華人民共和国・ 中国 所在地 西青区・河西区・和平区・河北区・北辰区 路線網 天津地下鉄 起点 南駅 終点 小淀駅 駅数 26駅 路線番号 3 路線色 ■ 水色 開業 2012年10月1日 路線諸元 路線距離 34 km 営業キロ ? 軌間 1,435 mm (標準軌) 線路数 複線 電化...
            Read more

            Can't figure out why I get Error loading static resource from app.xaml

            Image
            1 I having trouble getting my ResourceDictionary.MergedDictionaries to load from app.xaml. My WPF app has a static class with a Main defined and startup object set to it. Within Main I created an instance of App and run it. The override OnStartup fires and the mainwindow.cs InitializeComponent gives the error "Message "Cannot find resource named 'MaterialDesignFloatingActionMiniAccentButton'. If I put the resources in the mainwindow.xaml everything is fine, but I wanted them to load at the app level so I they are not in each page. Any help appreciated. public partial class App protected override void OnStartup(StartupEventArgs e) base.OnStartup(e); var app = new MainWindow(); var context = new MainWindowViewModel(); app.DataContext = context; app.Show(); from the Main.. var app = new App(); app.Run(); app.xaml.. <Application x:Class="GS.Server.App" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:...
            Read more