I'm creating my first SPA using NodeJS stack for development and I came to a point where I should design authentication and secure some parts of the app.I read a lot about auth techniques including JWT, OAuth, etc. but I still didn't find something like «a real world example».Let's assume that my task is just to secure some parts of app from public. My app isn't designed to work with 3rd party services so I see no need to use something like Google or Facebook auth. I want to use login/password and store all this data using my own database server.I don't understand the point of having authentication stateless. I came to a simple conclusion that I can design authentication in this way:I store users logins and passwords in my database.User auth means that user enters his credentials, server checks it and creates token. Then server saves this token into database. User saves token using browser local storage or somewhere else if it's not browser environment.On each request client sends this token, server checks that this token exists and responds appropriately.User can login from different devices, we just create multiple tokens for him.We can end specific session or all sessions by just deleting user tokens from database.We can manage tokens in a way we want, for example server can check expiration time and invalidate (delete) token.Is it OK? JWT require additional implementation if we need to invalidate token, I saw different examples, all of them were based on storing invalid tokens but what's the point of that if we can just store valid tokens? We already lose statelessness by implementing this storage.I see that I can just use cookies instead of implementation described above but I don't like an idea to use cookies in RESTful app because I don't see the point of sending cookies from not-browser like environment.What are the disadvantages of just storing tokens on server this way?
Submitted July 26, 2017 at 12:09AM by Max_Stern
No comments:
Post a Comment