Authentication and authorization of API

[agentmilindu]

We have to use some kind of a way to protect the endpoints, may be using a token based mechanism.
What are the good solutions?

[rhperera]

Ya that will be the ideal choice. What about json web token (JWT) for the token passing. Since we are using nodejs its good to take a look at this also
https://github.com/auth0/node-jsonwebtoken

[agentmilindu]

Yes, JWT is a good mechanism. And if we can connect it to a authentication framework like passportjs we can have many more authentication mechanisms without any problem. Have to check if this is possible.

[milankarunarathne]

@agentmilindu @rhperera I like to work on this issue. I have some previous experience of using JWT with one of my application. As you know Auth0 is acting as an authentication broker, so we have to create an account in Auth0. There are giving free account for OpenSource projects, as long as we had to display that we are using Auth0.
Can I proceed with this issue ?

[agentmilindu]

Hi @milankarunarathne, you are almost welcome to work on this issue :)

However, I doubt the use of Auth0 would be a wise choice in this project. The idea of the project to be a base to device tracking applications. People who develop apps using Tracker may not be happy to use a third party service. It is good if we can avoid such dependencies on external parties. What's the benefit of Auth0 over handling authentications internally in Tracker? There are node packagers which provides integration with many services. WDYT?

[milankarunarathne]

@agentmilindu we don't have to always depend on Auth0 3rd party service. We can use normal password authentication method to grant user access. E.g. users login to the system using username and password, if authentication is successful grant a JWT token to the user. Then user will use that token to access the Rest endpoints.
We can use passportjs like library to provide Auth2 support, if we are not happy to go with Auth0 service. Yet we can use JWT in Tracker. JWT allows us to handle requests in stateless manner. Which means we don't have to save tokens in a Database such as Redis. So, it's highly scale when we are following a micro service architecture, as we are doing in Tracker (single page web UI with Angular).

I can integrate JWT with Tracker, if you like to do ?

P.S. I sent a mail to the google group, can you have a look on it

[agentmilindu]

I'm more than happy if you can proceed with this :) I'll look into the email.

[milankarunarathne]

@agentmilindu Okay, I'll integrate JWT and provide security for the API.

[pupudu]

@agentmilindu @rhperera
Good news!. I was able to implement the authentication of a user and sending a token using Jason Web Tokens. Please find the implementations at my local fork. https://github.com/pupudu/Tracker.git

To test this, please add a new collection with the following user for testing. Otherwise, no user found response will be sent.

{
    "userDetails" : {
        "name" : "pubudu",
        "username" : "dodan",
        "password" : "$2a$08$WLDpie.iVKIOl4QTh4fGRuMlPlRymPh0hUc7Ujyt8fs/P.woGZkoe"
    }
}

To test the route, please send a POST request to /authenticate with the following body.

{
   username: "dodan",
   password: 1
}

I will send a pull request when the middleware to validate tokens and a route to register users are also implemented.

[pupudu]

On second thought, I will send the pull request now. I will send another PR again with the implementations for creating a user and the middleware to validate tokens

[pupudu]

Update - I have implemented a local login strategy for authenticating a web user using passportjs. This can be easily extended to authenticate all api calls before processing. Please see the update at my local repository. I will send a PR after implementing a signin UI using the routes written