-2

This is a somewhat broad question. I am building a stripe server with node and express and hitting it with a react frontend. I have put together the basic api where i can create customers, save payment methods and access accounts to edit, update etc.

Payment method details are collected via Stripe's own recommended react-stripe package that protects PPI to keep things compliant with government regulations on privacy.

Now I am trying to secure the rest api so that only validated individuals can access the api endpoints. So for example I have a GET endpoint that displays profile details for a customer and the endpoint looks something like: route/:customerId. Presumably I could only access the route If I had a customerId, but is there another layer I can add that secures the endpoint more?

I am trying to figure out the best way to do this and I have come across the following two options:

  1. JWT
  2. OAuth2

I ma unsure if perhaps I am misunderstanding usage here. Are one of these two the right approach to securing a rest api?

LoF10
  • 1,907
  • 1
  • 23
  • 64

1 Answers1

0

This is a very broad question and it definitely depends on your business logic and how secure other parts of your application is.
JWT and OAuth2.0 can be used for protected routes, but you have to know the differences between them. OAuth2.0 is mainly used for authenticating users ONLY with 3rd party services, i.e. giving users an option to create an account with their Google or Facebook accounts. You can add another layer on top of OAtuh2.0 and add OIDC to use it for authorization. However, JWT is recommended to be used for authorization. In either case, it is BEST to use these tokens over HTTPS. Perhaps take a look at this for differences between them and read more about the two.