2

I have a rich JS app in React running on HTTPS, and server-side I have an api in NodeJS listening for client requests. The users are not developers ; actually they barely use a computer. I want a simple login/password form (something they are familiar with) for them to authenticate.

Instead of storing the username/password client-side and include them in every api request, it is suggested to store a token. If I understand correctly, server-side in DB, this token is also stored alongside the username/password in the table of users.

What confuses me, is that this token would not be hashed (e.g. with bcrypt) like the password would. So isn't it like having a clear password in the database? Well for sure I missed something important about tokens.

Then if anyone could lead me the path on how best to manage http basic authentication with a token in NodeJS, it would be really appreciated:)

user2923322
  • 1,072
  • 1
  • 11
  • 25
  • Are you talking about `Javascript web tokens` aka `JWT`? Basic HTTP authentication and JWT are two different things. Modern apps use [JWT](https://jwt.io/introduction/), which is stateless and secure. [RFC 2617 aka HTTP Basic Auth](https://tools.ietf.org/html/rfc2617) [RFC 7519 aka JWT](https://tools.ietf.org/html/rfc7519) – Prateek Gupta Jan 31 '17 at 07:28
  • Well in any case the user submits first his login and password, right? So in order to get any kind of token, you first need basic http authentication, no? – user2923322 Jan 31 '17 at 07:31
  • Use `TLS` to secure it, any communication without `TLS` is insecure – Prateek Gupta Jan 31 '17 at 07:32
  • It said in first sentence I use HTTPS, isn't that enough? – user2923322 Jan 31 '17 at 07:34
  • AFAIK, The client uses TLS to communicate with the authentication service(API) where you send the credentials, so this is secure. Next, server authenticates it and issues a token, everyone can decode it and can read it, but if someone changes it, it would be invalid. See this answer [http://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure]. Now this token, which has claims is presented in the header with every api call to your server. – Prateek Gupta Jan 31 '17 at 07:40

0 Answers0