1

I'm looking for an best practices to implement client-server authentication (local + social). Right now I'm developing backend & frontend separately. Earlier I did auth by next flow:

Sign in -> receive token -> call api

I need find a way to add token into blacklist also. Tech stack: node.js (sails) front-end: angular

Also front-end app should be available to call api of multiple servers. That means front-end app should sign in only once at main server and be available to call another api's.

I'm opened for out-of-box solutions.

vromanch
  • 939
  • 10
  • 22
  • There are different questions about this argument on SO ... Here some of them: [Link1](http://stackoverflow.com/questions/15496915/how-to-implement-a-secure-rest-api-with-node-js) and [Link2](http://stackoverflow.com/questions/319530/restful-authentication) – Luca Marzi Mar 26 '15 at 18:09
  • Did you check passport.js http://passportjs.org/ ? Working example; https://scotch.io/tutorials/easy-node-authentication-setup-and-local – cdagli Mar 27 '15 at 06:28

1 Answers1

1

If you are using JSON Web Tokens (JWTs) as your token: you can put a unique, random value as the jti claim in the token. You store these jti values in your database and use them as your blacklist.

If you would like to read about JWT best practices for Single Page Apps with APIs, please see a blog post I've written on this topic: Token Based Authentication for Single Page Apps

Regarding out-of-box solutions: I work at Stormapth and we have such a solution in our Stormpath Angular SDK.

robertjd
  • 4,723
  • 1
  • 25
  • 29