0

I'm newbie in Node.js and just want to create RESTful API with it for my game in Unity3D. Just at the end of the game I want some information like name and phone number, etc from player if he/she wants to share. I know how to implement this server but my problem is with security. I've search a lot about security in Node.js but I've not figured it out yet. In my searches I've saw there is a npm package which is JWT and figured out how to use it. As I know we send a request to the server and in response it returns a bearer token which we can set our header with it and use GET, POST or other methods. My problem is that anyone can send a request to that URL and get that token and do other things (I think I made a mistake). So what is the solution for security of this type of server ?

ATHellboy
  • 704
  • 3
  • 15
  • 30

1 Answers1

3

Well there are multiple authentication strategies (basic, oauth, token, cookies). Since you have already chosen the JWT strategy I will try to explain it.

  1. User registers (email, password, phone, name, etc...)
  2. Your server returns a 201 and a JWT token signed specifc for that user jwt.sign({ id: user.id, role: user.role }, 'secret', { expiresIn: 60 * 60})
  3. Then you can add a middleware to your routes that validates if the token is in authentication header and if the token is valid. jwt.verify(token, 'your secret')
  4. Since you are using tokens in your headers you should use HTTPS to encrypt your http requests
  5. You also need a login endpoint that receive the id and password and generate a new token for that user because tokens can expire.

Usually I use this package: https://github.com/auth0/node-jsonwebtoken where you can also set the encryption algorithm and more options.

Another explanation containing images: https://stackoverflow.com/a/45978644/4120554

Marco Talento
  • 2,335
  • 2
  • 19
  • 31
  • Thanks for answer. There isn't any sign up or sign in panel in the game. At the end of the game just I want player's information like phone number and real name if players want to share. so can it be done by this strategy ? – ATHellboy Apr 04 '18 at 08:37
  • 1
    Your case is very specific, so you don't want a specific authentication you just want to store data from the user who played your game right? You can generate a token when the user starts the game and then send that token to the server if they shared their data. In your server you can validate if that token was generated by you. (pretty simple solution) – Marco Talento Apr 04 '18 at 08:50
  • Yup, exactly. I'm so sorry to ask this question but how can I validate if that toke generated by me or not ? – ATHellboy Apr 04 '18 at 08:57
  • And my second question is about JWT strategy, if someone outside of client, send request to the server for registering (first is it possible ?) and then receive that token and send other information to the server ? – ATHellboy Apr 04 '18 at 09:00
  • 1
    First question: You can simply generate a token with a private token that only YOU know and when the client sends that token you can verify if that token was signed by your server. Second: If your server is exposed to the web everyone can make requests to your API that's why you have a token to validade if you want to process that request or returning a 401. Ofc your clients dont want to share the token otherwise anyone can use it and make requests to your server but that's the same if a person gives their password :D – Marco Talento Apr 04 '18 at 09:06
  • Another question: It is better to generate token by server or by client ? – ATHellboy Apr 04 '18 at 17:24
  • your token should be always generated by server side! If you code is in client side anyone can change it :) – Marco Talento Apr 04 '18 at 20:07
  • For this kind of job, do I need to use HTTPS ? and if I need to, is it OK to use self-signed SSL/TLS certificate ? – ATHellboy Apr 06 '18 at 15:54
  • Also I've figured out there is free SSL certificate which is called as Let's Encrypt: https://letsencrypt.org/ – ATHellboy Apr 06 '18 at 17:19