Is this a secure method for user authentication? If so, can it be simplified to reduce the total number of...












0














I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



In essence the steps I am taking are:




  1. User visits Next.JS served page.

  2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

  3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

  4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

  5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

  6. This new access token is used for subsequent requests to the API.


This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



Am I over-complicating this? Is there a simpler method that I'm just not seeing?










share|improve this question



























    0














    I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



    In essence the steps I am taking are:




    1. User visits Next.JS served page.

    2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

    3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

    4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

    5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

    6. This new access token is used for subsequent requests to the API.


    This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



    From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



    Am I over-complicating this? Is there a simpler method that I'm just not seeing?










    share|improve this question

























      0












      0








      0







      I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



      In essence the steps I am taking are:




      1. User visits Next.JS served page.

      2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

      3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

      4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

      5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

      6. This new access token is used for subsequent requests to the API.


      This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



      From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



      Am I over-complicating this? Is there a simpler method that I'm just not seeing?










      share|improve this question













      I've been digging around in Koa and had a setup which seemed to work fine. I then decided SSR would be beneficial and I'm struggling a bit with creating a method for authentication which is straightforward.



      In essence the steps I am taking are:




      1. User visits Next.JS served page.

      2. User clicks "Login with facebook" and a request is sent to my Koa server at /auth/facebook

      3. OAuth with passport occurs and a token is generated and stored for the user (either created then or updated)

      4. A very short lived token is generated and the user is redirected to the Next.JS application with the short lived token in the URL.

      5. Next.JS sends this short lived token to the Koa API and a real access token is returned and stored in a cookie.

      6. This new access token is used for subsequent requests to the API.


      This feels very complicated and I feel it might be possible to remove the short lived token step altogether.



      From what I have read, it is not a good idea to use Next.JS for back-end API related logic which is why the auth happens on the Koa-API server and hence the need to pass a short lived token to get a real token.



      Am I over-complicating this? Is there a simpler method that I'm just not seeing?







      oauth passport.js koa next.js






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 11 at 18:04









      Malii

      119110




      119110
























          1 Answer
          1






          active

          oldest

          votes


















          0














          After a bit of fiddling around, I cut it down to only a few requests instead.



          I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251643%2fis-this-a-secure-method-for-user-authentication-if-so-can-it-be-simplified-to%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            After a bit of fiddling around, I cut it down to only a few requests instead.



            I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






            share|improve this answer


























              0














              After a bit of fiddling around, I cut it down to only a few requests instead.



              I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






              share|improve this answer
























                0












                0








                0






                After a bit of fiddling around, I cut it down to only a few requests instead.



                I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.






                share|improve this answer












                After a bit of fiddling around, I cut it down to only a few requests instead.



                I moved Passport.js into a custom Next.JS server (using Koa) and set the callbacks to target Next. Then I verify the token on each request as it is now stored by Next.JS instead of with my API server, cutting out 4 and 5.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 14 at 22:45









                Malii

                119110




                119110






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251643%2fis-this-a-secure-method-for-user-authentication-if-so-can-it-be-simplified-to%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Full-time equivalent

                    さくらももこ

                    13 indicted, 8 arrested in Calif. drug cartel investigation