On Aug 14, 2014, at 9:26 AM, Mandeep Gulati <[email protected]> wrote:
> I am building a node.js REST api for an android application. During the > registration phase, user chooses a username which is unique. Based on the > availability of the username, he/she is allocated that username and the user > is created in DB. Currently the API is exposed and all routes can be accessed > by anyone. > > I want to add authentication mechanism but don't want to make the end user > enter any password. What should I use ? I am googling around and finding some > results citing HMAC or api key based authentication but I am not able to > understand everything clearly. Is there any good tutorial available for > beginners that explains this ? > > PS: I am using Sails.js framework for my development. Username and passwords: Upsides: Easy, and usually needed in the first place Downsides: Only secure over HTTPS or with digest authentication; slow and can't use digest auth if passwords are properly strongly hashed. Tokens / API Keys: Upsides: Easy to check, can be structured to separate 'device authorization' from 'authentication' -- if users have multiple devices or sessions and you'd want to disable some without requiring re-login, this is a plus. Downsides: You still have to authenticate, which means a username and password. If you use OAuth2, it's a huge, badly written, hard to understand, incomplete spec. HMAC: Not actually an authentication mechanism, though usable as a primitive to start building one. SSH or other public/private keys: Upsides: Can be securely set up with nearly no user intervention; easy to check; can do device authorization if you structure it right. You use an HMAC+signature over part or all of the request to authenticate it. Faster than verifying a strongly hashed password. Downsides: requires some crypto understanding. Not supported in browsers. Note: check out https://github.com/joyent/node-http-signature/blob/master/http_signing.md -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/C7B44929-2640-44F6-93C3-0129A55E421A%40nbtsc.org. For more options, visit https://groups.google.com/d/optout.
