Is this a secure method for user authentication? If so, can it be simplified to reduce the total number of requests?
up vote
0
down vote
favorite
I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.
In essence the steps I am taking are:
- User visits Next.JS served page.
- User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook
- OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)
- A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.
- Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.
- This new access token is used for subsequent requests to the API.
This feels very complicated and I feel it might be possible to remove the short lived token step altogether.
From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.
Am I over-complicating this? Is there a simpler method that I'm just not seeing?
oauth passport.js koa next.js
asked Nov 11 at 18:04
Malii
119110
add a comment |
up vote
0
down vote
favorite
I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.
In essence the steps I am taking are:
- User visits Next.JS served page.
- User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook
- OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)
- A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.
- Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.
- This new access token is used for subsequent requests to the API.
This feels very complicated and I feel it might be possible to remove the short lived token step altogether.
From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.
Am I over-complicating this? Is there a simpler method that I'm just not seeing?
oauth passport.js koa next.js
asked Nov 11 at 18:04
Malii
119110
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.
In essence the steps I am taking are:
- User visits Next.JS served page.
- User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook
- OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)
- A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.
- Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.
- This new access token is used for subsequent requests to the API.
This feels very complicated and I feel it might be possible to remove the short lived token step altogether.
From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.
Am I over-complicating this? Is there a simpler method that I'm just not seeing?
oauth passport.js koa next.js
asked Nov 11 at 18:04
Malii
119110
I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.
In essence the steps I am taking are:
- User visits Next.JS served page.
- User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook
- OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)
- A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.
- Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.
- This new access token is used for subsequent requests to the API.
This feels very complicated and I feel it might be possible to remove the short lived token step altogether.
From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.
Am I over-complicating this? Is there a simpler method that I'm just not seeing?
oauth passport.js koa next.js
oauth passport.js koa next.js
asked Nov 11 at 18:04
Malii
119110
asked Nov 11 at 18:04
Malii
119110
asked Nov 11 at 18:04
Malii
119110
asked Nov 11 at 18:04
Malii
119110
asked Nov 11 at 18:04
Malii
119110
119110
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
After a bit of fiddling around, I cut it down to only a few requests instead.
I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.
answered Nov 14 at 22:45
Malii
119110
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
After a bit of fiddling around, I cut it down to only a few requests instead.
I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.
answered Nov 14 at 22:45
Malii
119110
add a comment |
up vote
0
down vote
After a bit of fiddling around, I cut it down to only a few requests instead.
I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.
answered Nov 14 at 22:45
Malii
119110
add a comment |
up vote
0
down vote
up vote
0
down vote
After a bit of fiddling around, I cut it down to only a few requests instead.
I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.
answered Nov 14 at 22:45
Malii
119110
After a bit of fiddling around, I cut it down to only a few requests instead.
I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.
answered Nov 14 at 22:45
Malii
119110
answered Nov 14 at 22:45
Malii
119110
answered Nov 14 at 22:45
Malii
119110
answered Nov 14 at 22:45
Malii
119110
119110
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251643%2fis-this-a-secure-method-for-user-authentication-if-so-can-it-be-simplified-to%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
