1

I want to design a SPA which will have Frontend (React) and Backend-Rest API (Node.js, Express, Mongo DB). I am planning to have Single Sign-On in my application where users would be authenticating using MS-Azure AD, where a call would go to Azure AD from Frontend and in return I will get a token for that User which will be stored locally. After that, I want to call my rest API, for multiple GET, POST, PUT operations in the context of current user logged in on UI. Planning to deploy both frontend and backend on different servers so here I have two questions about securing my REST API.

  1. CORS Implementation
  2. User-Authentication on BE

Given the above requirements is it enough to have just CORS implemented or Do I need to again authenticate the User on BE?

Can somebody provide some best practice or experiences? Is there a lack in my “architecture”?

Improve this question
1

2 Answers 2

Reset to default
1

While CORS is definitely a consideration, it isn't Authentication (AuthN) or Authorization (AuthZ) which you need. Depending on the number of users your application will have, how the back end will scale you might want to look at OAuth2.0 or stick with simpler session based auth but you will need something.

CORS on your back end will limit if a browser running an app on a domain other than yours to call your web services (it wont stop API requests from other tools).

AuthN - Your not logged in - go get logged in and come back to me.

AuthZ - Controls what your users can and cant do. You might want to enforce this at the resource level but you absolutely need to within your business logic.

Further reading https://auth0.com/docs/authorization/concepts/authz-and-authn

Philippe from Pramgmatic web security has a free online course to get you started: https://pragmaticwebsecurity.com/courses/introduction-oauth-oidc.html Its very well paced and should give you some foundational knowledge. (It might let you write off OAuth for this use case but give it a go)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

CORS will not perform any user authentication. You need CORS only when your client code is served from another domain than the backend you are talking too. If it is the same server to host static client files and backends REST endpoint, you don't need CORS. If you are unsure, then don't consider CORS at all and see if it works.

But you need authentication to know which user is which.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.