Advice needed about tokensec HOT 2 OPEN

Hi!

Thanks for reaching out! I will try and see if I understand your objectives correctly and how TokenSec can (or can't) help you with that.

The TokenSec project was created to eliminate the requirement of proxying (authenticated) 3rd party API calls. Take for instance GitHub or Firebase: there are excellent javascript libraries available to directly connect to their API. However, if you wish to authenticate your user you'll need to generate a token which is signed using an API key and secret code. This signing process needs to be done on the server-side, as you don't want your secret key to be publicly available (which it would be if it was part of the client-side javascript).

Once you've signed the access token on the server, you'll need to transport this to the client so that it can use it to connect to the 3rd party API. The TokenSec library tries to create a (somewhat) secure process for transferring the signed token.

To translate this to your project would mean that you would need to change your client-side application to directly access the separate API server. I don't know if that is feasible as that would mean that the API server should be publicly available. If this is the case, you can eliminate the need for an Express proxy and only use the Express server in combination with TokenSec to do the authentication.

If the separate API server is not publicly available, TokenSec is not the right library for your project. You could instead use a session object to store the token in Express server or use HttpOnly secure cookies if you wish to keep it stateless.

Hope this helps!

from tokensec.

Thanks Remie for coming back so quickly, I really appreciate your time and comments.

I have been given a clear requirement that the token should be stored server side (Express) and one way suggested to me was through using encrypted cookies back to the client.

I have read your reply a few times and am trying to get it all to sink in, it sounds a bit over complicated for what I want (I think) plus I'm pretty certain the api server we are using is not publicly available too.

I handle post request from the client to say /login in Express and then perform a post request to the OAuth server token endpoint sending across username, password, scopes, grant type (password) and then a Basic Authorization header which uses the clientID and secret combined and then base64 encoded.

So sounds like I should be looking at a session or secure cookie as per your suggestions, are there any such express middleware libraries you know off the top off your head I should probably start looking at.

No worries if not, you have been most helpful already!

Thanks again
Rob

from tokensec.