2

I'd like to secure a restful Api, and I'm trying to keep it as simple as possible, as well as being stateless.

What is the optimal way to store, generate, and authenticate api keys? I was thinking about generating keys with node-uuid, storing them in redis, and then authenticating them with passport-apikeys.

Would this work? Or is there another optimal solution that I'm missing.

I have been reading up on this a good amount, but a lot of resources are missing the actually implementation, like this post

Improve this question
4
  • Can you please explain us how your plan fits in an "stateless" approach? It looks to me it is not Commented May 3, 2014 at 20:28
  • I don't want to have to keep track of sessions, I just need to check if they have a key or not. Commented May 3, 2014 at 20:30
  • Isn't that what a session does? Commented May 3, 2014 at 20:30
  • From your question it's hard to understand how the user gets their keys ? Passport-apikeys sounds good, make sure you correctly using the keys and also allow regeneration. Commented May 3, 2014 at 20:54

1 Answer 1

Reset to default
2

Your solution sounds OK to me, but not that secure enough I'm afraid. I'd like to suggest you sign the request with the key, so that you can protect your API from tampering. So you need to generate a key pair, let's say access id and access key, to the user who is going to use your API. The HTTP request will have two sections, one is the access id, the other is a signature that calculate the whole request content by the access key. But access key should never by passed through HTTP. So in server side you can check the signature of the HTTP request by the access key stored in Redis.

You can use Node.js Crypto module for this. http://nodejs.org/api/crypto.html#crypto_class_hmac

Hope this helps a bit.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

this is exactly what 2-legged oauth 1 is

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.