Authentication front-end for accessing local services

[izal...@gmail.com]

Hello,

I have 3 local services in my server at:

• localhost:3001
• localhost:3002
• localhost:3003

I do not want to expose them directly to the outside, so those ports are only open to local connections.

I want to build a simple front-end with user authentication, so that when a user is logged in he can access to the 3 services from the outside.

• http://www.mydomain.com/
• login
• service 1
• service 2
• service 3

I was thinking on using a nodejs based proxy so that only logged users can get access to the services, but I am not sure if this is posible, and in case it is, which would be the best combination of modules to do so.

Does someone know a simple approach to get this done?

Thanks!

[DaneiL]

Hello, you could use jwt.io.

It requires a service to make a login, after that you can share a token between your apps so that only logged users can make requests to your api.

Here is a working example, a microservice for login, for you use a shared key between your apps:

https://github.com/danizavtz/tokenAuth

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscribe@googlegroups.com.
To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/e4efef67-6d5d-46d1-ad0f-293f698c7e76%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[]'s

[Dave Sag]

JWT is fine for server to server auth but not so fine for browser to server auth as the JWT itself is publicly decodable.  JWTs are not encrypted, merely encoded.

For tokens that are in user land you need to use JOSE instead of JWT

Coincidentally I just finished writing up an article on this very issue

https://codeburst.io/securing-tokens-with-help-from-jose-33d8c31835a1

Cheers

Dave

To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.

To post to this group, send email to nod...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/e4efef67-6d5d-46d1-ad0f-293f698c7e76%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[]'s

[Jaret Flores]

JWTs are signed so that users cannot alter their contents even though the data can be viewed. Using the OPs example, suppose a user is authenticated and is given a JWT with JSON

{ service1: true, service2: true, service3: false}

which shows the services this user can access. Since the JWT is signed, the user could not

1. Decode the token
2. Change false to true for service3
3. Resign the token (can't do this without application secret, and this needs to happen or JWT verification will fail server side)

Therefore, if you give that token to the user, there is no way they can get access to service3 (assuming you give access to service3 based off the JWT). As usual, you should use https to prevent others from getting this user's token so they cannot impersonate the user (but this is an issue independent of JWT).

However, this still may not be a good idea since the user can look into the token and learn about your infrastructure - if they didn't know about service3 before, now they would. So in general, one should use caution when deciding what should be included in the JWT.