remie
commented
8 years ago Hi!
Thanks for reaching out! I will try and see if I understand your objectives correctly and how TokenSec can (or can't) help you with that.
The TokenSec project was created to eliminate the requirement of proxying (authenticated) 3rd party API calls. Take for instance GitHub or Firebase: there are excellent javascript libraries available to directly connect to their API. However, if you wish to authenticate your user you'll need to generate a token which is signed using an API key and secret code. This signing process needs to be done on the server-side, as you don't want your secret key to be publicly available (which it would be if it was part of the client-side javascript).
Once you've signed the access token on the server, you'll need to transport this to the client so that it can use it to connect to the 3rd party API. The TokenSec library tries to create a (somewhat) secure process for transferring the signed token.
To translate this to your project would mean that you would need to change your client-side application to directly access the separate API server. I don't know if that is feasible as that would mean that the API server should be publicly available. If this is the case, you can eliminate the need for an Express proxy and only use the Express server in combination with TokenSec to do the authentication.
If the separate API server is not publicly available, TokenSec is not the right library for your project. You could instead use a session object to store the token in Express server or use HttpOnly secure cookies if you wish to keep it stateless.
Hope this helps!
parky128
Hello,
I am currently using an Express server to proxy all api requests from the client side application to a separate API server.
I am now needing to add in authentication support and the API server we are using does provide an OAuth 2 mechanism which we have got up and running and can perform simple access token requests.
From what I understand talking with colleagues, I should be able to return a cookie back to the client after a user has been authenticated, with the cookie containing say the token encrypted in some manner. And then for subsequent requests, Express does the magic of decoding the token for use as a bearer token header onto the separate API server.
I came across this library whilst searching for a solution on how to achieve this kind of behaviour and the opening paragraphs on the readme seem to follow the kind of things I am trying to find solution for, but I'm not 100% sure if this library is what I need, or if it is how I could make use of it.
For instance, I see there are both server side (node.js) and client side (javascript) options for configuring and using, but I was thinking I should be able to do what I need purely in Express.
My thought process before coming across TokenSec of how the token flow could work was:
Since coming across this library, I'm now wondering if I am thinking about this all the wrong way. Can you advise further? I appreciate any time you can give me in understanding this further.
Thanks