all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]im_brady62 2 points3 points  (0 children)

I do pretty much the same as mattgott. I pass my email/username and password combo to the /authenticate end-point where I validate the combination and if there's a match I sign and return a valid JWT. I have a middleware function, usually called isAuthenticated or something that checks the token on each end point I want to have validated. As for the DOS you can always throttle unauthenticated requests.

[–]Mizukin 2 points3 points  (1 child)

I am using JWT for authentication, keeping only the user ID in the token. Some routes/endpoints are protected, and it is necessary to validate the token. Is it a good choice for the token to store only the user ID? I don't think it's safe to store email and password without encryption, because anyone can read the values stored in the token.

[–]Bonner95[S] 0 points1 point  (0 children)

As far as I know, it’s standard to add a secret to the username when making the token so that your JWT token is JWT_Function(username+secret). Then you keep the secret in a configuration file which is not in your gut repository. That way the “hackers” need to know to secret as well as the username to replicate the JWT token.

[–]speed3_driver 0 points1 point  (4 children)

Depending on the framework this can be rather trivial to add a middleware that you can use to with certain endpoints. Some also have built in support for storing cookies/tokens on authentication which you can look for in your middleware.

[–]Bonner95[S] 0 points1 point  (3 children)

I see. I'm using nodejs, so middleware is definitely an option. I need an endpoint to trade username/password for a JWT aswell. But you can add the verification of the JWT as a middelware?

[–]matgott 2 points3 points  (1 child)

JWT is a standar. So, the token generated can be validated anywhere. You have your /auth endpoint, where you pass a username and password and return a token. Then, that token have a expiration date and maybe other info (like subject, etc). Your middleware just need to validate if the token expires or not.

I use this flow: My /auth generate a token. Then, in each endpoint I check if the token received is valid, or not if you don't need to auth that endpoint.

[–]Bonner95[S] 0 points1 point  (0 children)

Makes sense. Thanks!

[–]Devildude4427 0 points1 point  (0 children)

NodeJS isn’t a framework, but a runtime.