-1

So, I've implemented some form of auth on my API, I'm not sure which kind it classifies as.

What my app does is, it generates a token once a user signs up/logs in and then before every endpoint call, I have a middleware function that checks if a token exists, then decrypts it, and if it's correct then its stores the user info in req.user. I then use the user info in req.user for other stuff later.

Does this classify as Token based auth?

I looked up online and read that instead of storing the token as a cookie on the client side, if I store the user info on the server side as session and a sessionid as a cookie on the client side, it classifies as Session based auth.

Thus clearly, my app has Token based auth right?

(I'm sorry if I'm seeking clarification for very basic stuff, I'm very much a beginner)

2 Answers2

0

You write that you "check if a token exists" and I assume this means that you look it up on a database. This is rather similar to an express-session, where the cookie contains a token and the session is also looked up on the database. The difference could be that you transport your token not in a cookie but in a request header (you don't say which technique you use).

However, one important aspect of token-based authorization is that the token need not be looked up on a database, but can be validated entirely in memory by verifying a signature. This is quicker and consumes fewer resources. Especially if your server receives many (malicious) requests with invalid tokens, it can detect and reject them without putting load on the database. See also the answer to Some questions about refresh tokens.

You could combine this with a session-based approach if the session ID also contains a signature and this is validated before the session is looked up on the database.

Read more about signed tokens and signature validation under the tag.

Heiko Theißen
  • 12,807
  • 2
  • 7
  • 31
  • I'm sorry if I confused anyone, by "check if a token exists", I look if there's a token in `req.cookies` . I'm not accessing the db here right? –  Feb 04 '23 at 19:52
  • @user13387446: But you cannot simply take the user out of `req.cookies` without first validating the cookie. A client put any cookie they like into the request and could thereby impersonate any user if the cookie is not validated. Is your cookie signed? – Heiko Theißen Feb 05 '23 at 07:52
  • I first check if the token in `req.cookies` is valid, if it is valid then I store the user info in `req.user` –  Feb 06 '23 at 01:30
  • Then it is token-based: The validity of the request is certified by the token alone. – Heiko Theißen Feb 06 '23 at 06:39
0

Yes you have implemented the token based authentication in your scenario, session based is totally different thing on that approach you need to store session in your backend to track is client valid or not, but in token based you don't need to store sessions but you will have two tokens as ACCESS TOKEN and REFRESH TOKEN and need to store refresh token in database incase of future regeneration of access token that's how token based authentication works!

Talha hassan
  • 81
  • 8