This is mainly a post asking about best practices regarding authentication in express APIs.I've been working on Rails APIs for some time and I'm trying to build a simple express API. The things is, coming from Rails, I guess I kinda expect some things like authentication to have a well-defined approach but I'm finding that mostly people are doing their own thing.Most guides I've seen use passport and JWT for authentication, which is very simple at first, but IMO has a big hole regarding logging out. Since JWTs can't be expired on demand, there's no obvious way to have a secure server-side log out. I've seen suggestions for solving this problem, but they all necessarily involve saving tokens to a DB, which kinda defeats the point of using JWT in the first place. Is there something I'm missing for why this isn't the case?Next, I looked into using express-session along with passport and although it works, I feel like maybe it's too much? I'm not sure if it's common to do it this way and if that's the case then I guess it'd be better to learn what I'm more likely to see in real life.Is there another possibility I'm missing? How's authentication is usually handled in mid-sized express APIs?
Submitted April 17, 2020 at 03:22PM by NombreGenerico
No comments:
Post a Comment