10

I am trying to wrap my brain around building an express.js / node.js based REST API. I have a couple of questions...

  1. Do I NEED token based / oauth 1 or 2 security for my api if I'm only concerned about a web application right now (not necessarily phone apps)

  2. Are there any resources to learn how to build this from scratch? I've read literally the first 3 pages of googling "rest api with oauth2 authentication express.js" and i'm still not grasping it.

Daniel White
  • 3,337
  • 8
  • 43
  • 66
  • 2
    Oauth is about signing the requests of 3rd party clients, you won't need it if you don't want to create a public API. By node there are express resource or restify which are good starting points. – inf3rno Sep 08 '14 at 22:07

2 Answers2

9

Its good that you want to do a REST API in node. Its really good in building API based request.

For your question:

  1. If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". If not then most likely, you don't need to implement OAuth.

But if your data is sensitive, such as private user data, then you need to put some sort of security layer on your API. Also, using OAuth or other token based security can help you build a better permission checking across your user base.

  1. You first need to grasp the concept of OAuth. Once you have the idea of how OAuth works, then its really easy to implement in your chosen language. Here are some good reads on how you can understand OAuth better

http://www.slideshare.net/MindfireSolutions/oauth-and-rest?qid=09a7d224-78bb-4b47-8957-3f0a0ce809a4&v=qf1&b=&from_search=3

For more detailed info about OAuth: https://www.rfc-editor.org/rfc/rfc6749

Again, once you understand the workflow of OAuth, you can implement it easily. :P

Community
  • 1
  • 1
Ninz
  • 231
  • 3
  • 11
  • 3
    I am creating a SAAS application and I think i'm just going to go with a basic email / md5 encrypted password like I would if I was building it in PHP. I'm reading over oauth and it just doesn't seem like I need that. I don't plan on this being a third party api so just for users to come onto my site and login, I think a simple login solution like username / password checked against the database will suffice. Agree or disagree? – Daniel White Sep 01 '14 at 20:30
  • 1
    Seems reasonable enough. You can always add OAuth later if you feel you need it. – shieldstroy Sep 01 '14 at 23:17
  • 1
    If that's the case, then I think you do not need OAuth :) – Ninz Sep 02 '14 at 15:28
2

  1. It does not depend if you use your REST server for web applications or for any other clients. If the service available in internet you should consider any client application as an "enemy". I mean you should not rely on any "trusted" client app, you should always perform authentication, if the client gets secured resource. Is the resource secured, it depend on your app. I prefer to use oauth2 in both cases. If resource is not secured, I use Client Credentials (https://www.rfc-editor.org/rfc/rfc6749#section-1.3.4), if it's secured I use Access Token (https://www.rfc-editor.org/rfc/rfc6749#section-1.4). It allows you to keep in the same tech, and easily change the things in the future, if it's needed. Based on my personal experience, I created module oauthifizer (https://github.com/vedi/oauthifizer). It's actually a wrapper around passport.js, which makes it more friendly in those particular cases.

  2. You can have a look at this article: http://aleksandrov.ws/2013/09/12/restful-api-with-nodejs-plus-mongodb/. Again, you can consider to try restifizer (https://github.com/vedi/restifizer) - another module, which allows you to create RESTful services significant faster. And there is short example for it: https://github.com/vedi/restifizer-example

Hope it will help.

Community
  • 1
  • 1
vedi
  • 400
  • 3
  • 17