How should the user be authorized on the server?

M

Michael Kim2016-11-06 22:33:15

Mobile development

Michael Kim, 2016-11-06 22:33:15

I am writing a server for a mobile application, I have a few thoughts on how to implement authorization, but I don’t know how correct and secure they are: the user enters his login and password in the client, the data is sent to the server -> a token is generated with an expiration date of 12 hours and a refresh token -> sent to the user and the client saves them -> then all requests to the server will come with a token -> the server checks the token and sees if its expiration date has expired, if it has, it sends an error, the client accepts it and sends a refresh token , the server checks it, and if everything is fine, it sends the token. Do I understand correctly? Or do you need something different?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

aol-nnov, 2016-11-06
@aol-nnov

why not use ready-made algorithms? e.g. oauth2.

I

Igor Kalashnikov, 2016-11-11
@zo0m

https://jwt.io
modern approach, in short: keep the user's token, and a key that proves to the server that the token is not fake.
The cool thing is that in this way you can store session data for the user, this is good for scaling the project (you don’t need to think on which node the user session is located, but you can throw it on any). Those. you can store for example: {userId: 123, userRole : 'admin' }
The problem with JWT is with refreshing the token. They make either unlimited access, or, for example, for a month, in a month the user will be forced to log in again. Not convenient, but solvable, on the stackoverflow there were examples of bypassing this limitation using a refresh token.