kengu
commented
6 years ago Use of passport.js looks like a simple solution. Then we do not need to roll our own solution, with all the security risks that entail. I think we can on general terms assume that passport.js (or similar solutions) are way more secure and better maintained than what we are able to do our selves. See #9
SAR-API should have its own token for authentication. Now every request is authenticated via KOVA and thus takes longer than it should.
Tokens must be stored somewhere safe. One possibility is to use secure, signed and http-only cookies which are stored client-side. SAR-API could check for the existence of cookie to authenticate each request to KOVA. Cookie-lifetime should also be set match KOVA-tokens TTL to avoid issues...
Or maybe use PassportJS? http://passportjs.org/