A more general question is about some of the shortcomings regarding some proposals for the implementation of a token-based authentication system, caused by the fact that Node.js does not seem to have a finished result.
Since we want to create a server without an API to manage our data warehouse, we want to provide our users with an authentication token (โtravel ticketโ) that will be included in every API call.
The question is how to generate this token in a safe way.
[idea 1] - The user requests an authentication token by sending (user ID, password hash) to the server - the server responds (user_id, expiry_date), signed by the API servers with a random key - the server can check the validity of the token for each request - the server will need to store tokens for a limited period of time
[idea 2] - The same as above, but do not send a password hash - The user requests an authentication token - The server sends a call to the user, the user then hashes the call with his pair (user_id, password_hash) - The server checks this and then generates the token in accordance with idea 1.
[idea 3] - Use the password hash itself as an authentication token sent in each request to avoid a problem with token management - Simplification, but not limited time
[idea 4] - Same as 2, but challengeed_hashed_by_ (user_id, password_hash) becomes a token and is sent in each request
Thanks for any pointers
source share