Is this a secure method for user authentication? If so, can it be simplified to reduce the total number of requests?









up vote
0
down vote

favorite












I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



In essence the steps I am taking are:



  1. User visits Next.JS served page.

  2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

  3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

  4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

  5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

  6. This new access token is used for subsequent requests to the API.

This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



Am I over-complicating this? Is there a simpler method that I'm just not seeing?










share|improve this question

























    up vote
    0
    down vote

    favorite












    I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



    In essence the steps I am taking are:



    1. User visits Next.JS served page.

    2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

    3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

    4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

    5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

    6. This new access token is used for subsequent requests to the API.

    This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



    From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



    Am I over-complicating this? Is there a simpler method that I'm just not seeing?










    share|improve this question























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



      In essence the steps I am taking are:



      1. User visits Next.JS served page.

      2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

      3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

      4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

      5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

      6. This new access token is used for subsequent requests to the API.

      This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



      From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



      Am I over-complicating this? Is there a simpler method that I'm just not seeing?










      share|improve this question













      I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



      In essence the steps I am taking are:



      1. User visits Next.JS served page.

      2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

      3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

      4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

      5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

      6. This new access token is used for subsequent requests to the API.

      This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



      From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



      Am I over-complicating this? Is there a simpler method that I'm just not seeing?







      oauth passport.js koa next.js






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 11 at 18:04









      Malii

      119110




      119110






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          After a bit of fiddling around, I cut it down to only a few requests instead.



          I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






          share|improve this answer




















            Your Answer






            StackExchange.ifUsing("editor", function ()
            StackExchange.using("externalEditor", function ()
            StackExchange.using("snippets", function ()
            StackExchange.snippets.init();
            );
            );
            , "code-snippets");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "1"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251643%2fis-this-a-secure-method-for-user-authentication-if-so-can-it-be-simplified-to%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            After a bit of fiddling around, I cut it down to only a few requests instead.



            I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






            share|improve this answer
























              up vote
              0
              down vote













              After a bit of fiddling around, I cut it down to only a few requests instead.



              I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






              share|improve this answer






















                up vote
                0
                down vote










                up vote
                0
                down vote









                After a bit of fiddling around, I cut it down to only a few requests instead.



                I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






                share|improve this answer












                After a bit of fiddling around, I cut it down to only a few requests instead.



                I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 14 at 22:45









                Malii

                119110




                119110



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251643%2fis-this-a-secure-method-for-user-authentication-if-so-can-it-be-simplified-to%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    這個網誌中的熱門文章

                    How to read a connectionString WITH PROVIDER in .NET Core?

                    Node.js Script on GitHub Pages or Amazon S3

                    Museum of Modern and Contemporary Art of Trento and Rovereto