0

I am building a website based on Node.js.

The approach that I am following to ensure safety of the APIs is as follows:

  • The user signs up with email and password.
  • On successfull signup and login, the client receives a random generated token
  • It stores the token in local storage and passes the token as header in all subsequent requests.
  • For every subsequent request the server checks the token and validates the user.
  • Once the user logs out,the token stored in client's local storage gets deleted
  • The user gets a new token when he logs in again.

Is the above approach good enough?Please suggest better ways if any.

Also I have seen people using passport-local for authentication purpose. How can passport-local help in the above way of authentication?

Improve this question

2 Answers 2

Reset to default
3

It is not a good approach because of many reasons. For example:

  1. In your approach, the user will not be able to log in from two browsers (Mobile+Desktop) at the same time.

  2. It's very easy to steal a localStorage data by XSS attack. If you use server only Cookie, it's much harder.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Instead of random tokens, it would be better to use Json Web Token (https://jwt.io/introduction/). This would give you the easy way to verify the token is valid (the tokens are signed and has expiration time).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.