node.js - REST / Web based authentication-as-a-service a possibility? -

-

i've developped rest based service using express , started implementing authentication myself. simple username/password authentication

  • passwords encrypted using bcrypt
  • user info + hashed passwords stored in mongodb
  • password verification checks done.
  • authentication tokens (limited ttl) generated / validated

i have knowledge on node.js, not sufficient make me feel comfortable rolling out own authentication (login/signup) mechanism.

for reason replace in-house mechanism else.

something proven, extendable, pluggable , easy use.

given amount of secure websites / rest apis out there based on node.js, i'm sure there out-of-the box solutions people / companies have offer can service implementors , running quickly, without having worry security/user aspect.

i'm looking even higher level of abstraction of libraries passport or everyauth. provides out-of-the-box functionality, capable of fulfilling requirements including :

  • providing login page / signup page / profile page
  • different authentication modules (google,facebook,github,....)
  • storing user info (+credentials if required) in datastore (mongodb).
  • remember me
  • forgot password / reset password

so question here :

  • are there out-of-the-box solutions available offer higher level of abstraction passport/everyauth/... ?
  • if any, recommend of these out-the-box solutions ?
  • should instead forget notion of outsourcing user authentication , start looking @ passport , everyauth , start implementing requirements using libraries ?
  • is possible focus on business logic , not worry @ aspect regarding user authentication (writing login / signup pages , implementing forgot password / reset password flows, storing user info in db).

the service api should largely live independent of authentication mechanism, i'd recommend starting behind simple password protected folder or such. in opinion better make sure you're api works , can gain traction. meaning it'll more long term project. nothing kills project quicker focusing on painful stuff right out of box.

as far service use? it's non-trivial setup security well. small startup project, it's more cost-effective integrate service. might take @ mozilla persona. it's built on node , pretty straight forward.

if try roll own outside expertise, , don't stupid stuff use hashing algorithm sha1 store passwords. instead use bcrypt. there other things like, don't store server logs on server they're created. pipe out logs elsewhere if there's intrusion have forensics trail happened.


Comments

Post a Comment

Popular posts from this blog

javascript - Count length of each class -

-
i have below code in this fiddle . html <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> javascript $('.myname').each(function(){ var text = $(this).html().split(' '), len = text.length, test = $(this).val().length, result = []; console.log('outside: ' + test); for( var = 0; < len; i++ ) { result[i] = '<span class="name-'+[i]+'" >' + text[i] + '</span>'; console.log('inside: ' + test); } $(this).html(result.join(' ')); console.log('after
Read more

What design pattern is this code in Javascript? -

-
this question has answer here: why write “.call(this)” @ end of javascript anonymous function? [duplicate] 4 answers what kind of design pattern , significance of using closure? (function(){ // code here }).call(this); edit then difference between above code , following this keyword still refer same object in both ways. (function(){ // code here })(); thats invoked function expression. more info here: http://benalman.com/news/2010/11/immediately-invoked-function-expression/ the purpose run code while protecting scope (so variables declared within don't leak out global scope. update call sets value of this function being applied on. without it, value set window object, there set outer scope.
Read more

hadoop - Restrict secondarynamenode to be installed and run on any other node in the cluster -

-
i have have cloudera cdh3u4 cluster setup. have secondarynamenode daemon running on 1 of nodes. i have ensure user has root access node on cluster (for example, datanode not have other daemons running) should not able start instance of secondarynamenode daemon on node (thereby having 2 secondarynamenodes on cluster) how can achieve this? thanks in advance. add property hdfs-site.xml namedfs.secondary.http.address valuesecondarynamenode-host address or ip:50090
Read more