-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication and authorization of API #2
Comments
Ya that will be the ideal choice. What about json web token (JWT) for the token passing. Since we are using nodejs its good to take a look at this also |
Yes, JWT is a good mechanism. And if we can connect it to a authentication framework like passportjs we can have many more authentication mechanisms without any problem. Have to check if this is possible. |
@agentmilindu @rhperera I like to work on this issue. I have some previous experience of using JWT with one of my application. As you know Auth0 is acting as an authentication broker, so we have to create an account in Auth0. There are giving free account for OpenSource projects, as long as we had to display that we are using Auth0. |
Hi @milankarunarathne, you are almost welcome to work on this issue :) However, I doubt the use of Auth0 would be a wise choice in this project. The idea of the project to be a base to device tracking applications. People who develop apps using Tracker may not be happy to use a third party service. It is good if we can avoid such dependencies on external parties. What's the benefit of Auth0 over handling authentications internally in Tracker? There are node packagers which provides integration with many services. WDYT? |
@agentmilindu we don't have to always depend on Auth0 3rd party service. We can use normal password authentication method to grant user access. E.g. users login to the system using username and password, if authentication is successful grant a JWT token to the user. Then user will use that token to access the Rest endpoints. I can integrate JWT with Tracker, if you like to do ? P.S. I sent a mail to the google group, can you have a look on it |
I'm more than happy if you can proceed with this :) I'll look into the email. |
@agentmilindu Okay, I'll integrate JWT and provide security for the API. |
@agentmilindu @rhperera To test this, please add a new collection with the following user for testing. Otherwise, no user found response will be sent.
To test the route, please send a POST request to /authenticate with the following body.
I will send a pull request when the middleware to validate tokens and a route to register users are also implemented. |
On second thought, I will send the pull request now. I will send another PR again with the implementations for creating a user and the middleware to validate tokens |
Update - I have implemented a local login strategy for authenticating a web user using passportjs. This can be easily extended to authenticate all api calls before processing. Please see the update at my local repository. I will send a PR after implementing a signin UI using the routes written |
We have to use some kind of a way to protect the endpoints, may be using a token based mechanism.
What are the good solutions?
The text was updated successfully, but these errors were encountered: