Properly Securing Node.js APIs

Transcript

1. WebWeekend Kathmandu

2. Perfectly Securing Node.js APIs

3. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

   startup From Sri Lanka !

4. ?

5. Cookie vs Tokens

6. Cookie vs Tokens

7. Cookie Tokens Statefull Stateless Performance Decoupled

8. Advantages of JWT → Stateless → Scalable → Decoupled

9. Advantages of JWT (Cont) → Cross-Domain → CORS

10. Use cases JWT (Cont) → Back-end APIs → Serverless Applications

    → IOT Devices → Mobile Applications

11. Things to Remember → JWTs are encoded not encrypted! →

    This does not mean they can modify it though, even the slightest change will invalidate the token → Do not store sensitive information within a JWT. → Solution: JSON Web Encryption allows you to safely encrypt the claims of a token

12. JWT Token Structure header.payload.signature

13. Header Type of token and hashing algorithm → HMAC →

    ECDSA → RSA

14. Payload Your Token Payload

15. Signature Verification of Token

16. Libraries Almost all languages has JWT implementation.

17. How to use JWT

18. Install JWT Library For Node.js and Express.js

19. Create JWT

20. Verify JWT

21. Organizing code → Module based approach. → Configuration in files.

    → Auto load models and routes. → Keep your secret secret.

22. Config file Keep all changing config strings in one place.

23. .env file we use dotenv to load .env file.

24. Shall we move to code work though?

25. Summery → Some APIs needs to secure → Cookie vs

    Tokens → JWT is Stateless, Scalable, Decoupled → How to use JWT with Node.js

26. Code repository https://github.com/iamchathu/nodejs-api-starter

27. More Reading https://chathu.me/2017/08/28/jwt-introduction/

28. None

29. Thank you !