0

Before I have to say that I've found some post related this question but not fully answered.

So I implement a nodejs REST API server, DB with mongoDB, however about authentication i understand the idea, with jwt token it work perfect.

/api/login

you get response with token. now you can request resource with this token for example.

api/posts/:user_id

get all your posts...No problem! query with mongoose findBy.. bla bla!

so for authorization in this case it's easy, check for query param user_id is equal to token (token parse with user_id). boom resources is secure.

but in case that I have some resources they're not reference by user_id, What is best practice to protect this resources?!

example

api/settings/:settings_id/emails

imagine that I know the setting_id of other user, and i authenticated with token. so how server will know this resources is not allowed for me?

Sam
  • 5,375
  • 2
  • 45
  • 54
Liam
  • 957
  • 1
  • 9
  • 25
  • This is usually done using some combination of [HTTP headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) and/or [cookies](https://stackoverflow.com/questions/17769011/how-does-cookie-based-authentication-work). – TypeIA Nov 14 '18 at 21:37

1 Answers1

1

First, you should do more to protect the token in the first place. When you issue a token after a user logs in you should store their token on either web storage like sessionStrorage if https is enforced or use an httpOnly cookie (You can add a user-agent/geoip fingerprint in addition to the user_id upon signing this token to add an additional layer of security). Then, when a user makes a request for a protected resource, you can match the fingerprint and user_id you signed the token with to the user they are making the request in behalf of.

You could use something like passport-jwt as a middleware in express to require authentication on routes. In passport, you define an extractor handler that basically tells it where to look to see if the user has a token and if they do and it validates it adds the req.user property that you can use on subsequent requests to determine the user_id of the token bearer. So basically with this approach, you know the user_id on every request which lets you compare that with the user information they are requesting.

app.post('/settings/:settings_id/emails', passport.authenticate('jwt', { session: false }),
    function(req, res) {
        res.send(req.user.id);
    }
);
Yeysides
  • 1,262
  • 1
  • 17
  • 27