8

I have an Express application setup and need some advice on storing tokens.

I am receiving an access token from an OAuth 2 server after authenticating a user account, which I then need to use for subsequent api requests.

I want to hide the token value from the client and I believe one way of doing this is to save the token on the server in an encoded cookie so that when further requests are made, these can be routed through middleware and the cookie can then be used for retrieval of the token stored sever side and then used as a header value in the ongoing request to the actual api endpoint.

Someone has actually already asked this question - How to store an auth token in an Angular app This is exactly the flow I am working with in my application but the answer talks about using an Angular service and I'm not so sure I would want to do this, surely this can all be handled by Express so the client side code doesnt need to know about the token, just any errors the API server returns back.

So summary of flow I think I need:

  • User submits login credentials
  • OAuth 2 server returns access token
  • Token is saved somewhere in Express, keyed by an id of sorts
  • A cookie is generated and sent back in response to the client. Cookie contains token value encoded perhaps? Or maybe the id of token value stored in Express middleware component?
  • Client makes an api request, which Express route middleware picks up.
  • Express checks for presence of cookie and either decodes the token value, or somehow retrieves from storage mechanism server side.
  • Token value is then used as a header between express and final api endpoint

There is probably middleware already out there that handles this kinda thing, I have already seen PassportJS which seems to be the kinda thing I may want to use, but I'm not so sure it handles the OAuth2 token flow on the server I am working against (password grant) and instead seems to be more suited to the redirect login OAuth flow.

I surely need somewhere to save the token value in Express, so some form of storage (not in memory I dont think).

I am fairly new to Express so would appreciate any suggestions\advice on how to approach this.

Thanks

Community
  • 1
  • 1
mindparse
  • 6,115
  • 27
  • 90
  • 191
  • when you receive token from Oauth2 server, you can save it in user side. You can use cookie or localstorage HTML 5. – trquoccuong Jan 08 '16 at 10:11
  • Ok, well the cookie approach is what I'm thinking but it would need to encode the value of the token back to the client and then this gets decoded each time for subsequent requests by Express to the final end point. – mindparse Jan 08 '16 at 11:01

1 Answers1

15

The most secure way to do this is just as you described:

  • Get an OAuth token from some third party service (Google, Facebook, whatever).
  • Create a cookie using Express, and store that token in the cookie. Make sure you also set the secure and httpOnly cookie flags when you do this: this ensures the cookie CANNOT BE READ by client-side Javascript code, or over any non-SSL connection.
  • Each time the user makes a request to your site, that cookie can be read by your middleware in Express, and used to make whatever API calls you need to the third party service.

If your service also needs to make asynchronous requests to Google / Facebook / etc. when the user is NOT actively clicking around on your site, you should also store their token in your user database somewhere as well -- this way you can make requests on behalf of the user whenever you need to.

I'm the author of express-stormpath, a Node auth library (similar to Passport), and this is how we do things over there to ensure maximal security!

rdegges
  • 32,786
  • 20
  • 85
  • 109
  • A good take away (for me) with this answer is it's valid to store the access token in the backend/db *as well* as in the front-end cookie. I think I'll store the refresh token in the db and leave the access token in the cookie. – JCraine Jul 28 '20 at 02:34