Saturday, 18 May 2019

Am I securing my node API properly

Hi everyone,Long-time lurker but this is my first post. I'm more just checking I'm doing this properly, as the info I've found online hasn't been much help to me so far...I'm making a node.js API that will, most likely, be used by other server applications such as WordPress. Therefore, I need to be able to generate one-time API keys for the user to input into their plugin.My current flow is the user logs into my website, creates an account (probably with Auth0, not 100% decided yet!) and is then given an API key (which will either be a UUID or random alphanumeric string) to add to their application. This API key will be hashed with bcrypt so it's not stored in the db as plain text. Then when the user makes a call to the API, the key is in the header which is then checked by the server to ensure the request is genuine.So, a few questions:Is this the correct way to do it?Any suggestions to make this better?Should I also generate an API key secret? If so, should this be sent to the user as well?Are there any good resources online for API design in node.js (specifically where API keys are issued)?Thanks in advance for your help. It'll be greatly appreciated!EDIT: Forgot the question mark in the title...

Submitted May 18, 2019 at 11:30AM by Korus1990

No comments:

Post a Comment