5

I've been googling more than a day now. May be I'm missing the correct keywords.

I have the following setup:

  • ExpressJS API (running with pm2 on port 3000)
  • Angular2 app - served via nginx

Both run on the same server.

Calls to the api (mydomain/api/) are proxied to 127.0.0.1:3000

For api calls which require authorization I will use JWT and user authentication.

What I want to achieve is that I generate a token for my angular2 app which is allowed/required to make the public calls (listings of products for example).

This token needs to be transferred securely of course as I don't want others obtain my products and prices via direct api calls (with a stolen token).

Any help appreciated.

user1261284
  • 191
  • 3
  • 13

2 Answers2

1

First, as @eesdil said, you must use HTTPS. In that case, all your calls are encrypted and safe.

In my example ( Angular 2, Express and JWT ), i used crypto module with pbkdf2 algorithm for hashing passwords.

This is workflow:

  • /login/signup -> hash password and generate salt -> store it on server
  • /login -> validate password against stored one -> generate jwt -> save it in localStorage on client
  • /api -> send jwt in Auth header -> validate on server -> send response

Working example is here: https://github.com/vladotesanovic/angular2-express-starter

Vlado Tesanovic
  • 6,369
  • 2
  • 20
  • 31
  • Ok, thank you very much. But let's say your starter app would list cities at the homepage. I don't want people to call api/cities directly. So I generated a JWT which is internally assigned to the public api calls. I could provide the Public JWT via express-session in a secure way I guess. I'll setup https and my idea in the whole thing and come back with the result. – user1261284 Feb 03 '16 at 23:12
  • No, don't use session and cookies for storing or transferring jwt token. No matter from what location they call /api/cities they need to have valid jwt. I will improve my example with /refresh functionality. You can encode jwt on client side and see when they expiring... – Vlado Tesanovic Feb 04 '16 at 07:47
0

Your token hopefully travels with https. And when it does they cannot get it...

UPDATE

from wiki:

Because HTTPS piggybacks HTTP entirely on top of TLS, the entirety of the underlying HTTP protocol can be encrypted. This includes the request URL (which particular web page was requested), query parameters, headers,

https://en.wikipedia.org/wiki/HTTPS

eesdil
  • 1,931
  • 3
  • 16
  • 25
  • Sorry I'm a little stupid in this section. I will setup https of course. But i will still have to include my public token in a Request Header/url param from the angular app, so it's visible to anyone. Or am I missing something? – user1261284 Feb 03 '16 at 12:15
  • see the wiki, as https is application layer protocol it is encrypting also the headers. – eesdil Feb 03 '16 at 12:19
  • 1
    Yes, you mast include token in each call. But that token is generated on server... I have similar setup right now ( express - angular 2 ) i will submit my workflow as answer here. – Vlado Tesanovic Feb 03 '16 at 12:19
  • That would be awesome @VladoTesanovic – user1261284 Feb 03 '16 at 15:08