This is a very interesting question, I am surprised that no one has answered yet.
1) To the first question, my answer is definitely yes ! You do not want to write API logic 2 times.
What you can do is use different URLs.
Eg. For public api you use http://api.domain.com/objects/ , while relatively internal, you can use http://domain.com/api/objects/ or whatever you prefer.
Then you use the same logic, but with different authentication strategies. Public with an authentication token, like many popular APIs (Twitter, Facebook, etc.) and Private using passport.js logs.
Good thing about sharing:
- You share security concerns.
- You can control access bandwidth if your application transfers a lot of data (and you want to give higher priority to your application ... well, maybe!)
- Or you can just control authorization (e.g. DELETE via an open API)
2) I am not a security guru, but I would definitely trust the passport.js authentication system, since it is widely used when using node as a backend.
You can refer to this question for implementing CSRF security in express: How to implement CSRF protection in Ajax calls using express.js (look for a complete example)?
Or another strategy is to use an update token if you use FB or Twitter strategies.
Hope this helps.
Augustin iedinger
source share