Comments (2)
Hi!
Thanks for reaching out! I will try and see if I understand your objectives correctly and how TokenSec can (or can't) help you with that.
The TokenSec project was created to eliminate the requirement of proxying (authenticated) 3rd party API calls. Take for instance GitHub or Firebase: there are excellent javascript libraries available to directly connect to their API. However, if you wish to authenticate your user you'll need to generate a token which is signed using an API key and secret code. This signing process needs to be done on the server-side, as you don't want your secret key to be publicly available (which it would be if it was part of the client-side javascript).
Once you've signed the access token on the server, you'll need to transport this to the client so that it can use it to connect to the 3rd party API. The TokenSec library tries to create a (somewhat) secure process for transferring the signed token.
To translate this to your project would mean that you would need to change your client-side application to directly access the separate API server. I don't know if that is feasible as that would mean that the API server should be publicly available. If this is the case, you can eliminate the need for an Express proxy and only use the Express server in combination with TokenSec to do the authentication.
If the separate API server is not publicly available, TokenSec is not the right library for your project. You could instead use a session object to store the token in Express server or use HttpOnly secure cookies if you wish to keep it stateless.
Hope this helps!
from tokensec.
Thanks Remie for coming back so quickly, I really appreciate your time and comments.
I have been given a clear requirement that the token should be stored server side (Express) and one way suggested to me was through using encrypted cookies back to the client.
I have read your reply a few times and am trying to get it all to sink in, it sounds a bit over complicated for what I want (I think) plus I'm pretty certain the api server we are using is not publicly available too.
I handle post request from the client to say /login in Express and then perform a post request to the OAuth server token endpoint sending across username, password, scopes, grant type (password) and then a Basic Authorization header which uses the clientID and secret combined and then base64 encoded.
So sounds like I should be looking at a session or secure cookie as per your suggestions, are there any such express middleware libraries you know off the top off your head I should probably start looking at.
No worries if not, you have been most helpful already!
Thanks again
Rob
from tokensec.
Related Issues (1)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tokensec.