Verification and Authorization

Verification:

is used by businesses to ensure that users or customers provide information that is associated with the identity of a real person.

Authentication:

is the act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity

Json Web Token (JWT):

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

JWT suffers from token expiration and it is not always safe to use JWT. For example if you have logged in with your smartphone to an app server and you lost your phone, there is no way to prevent the finder to access your data on the server. Hence, we always need a secondary persistence layer beside JWT to verify validity of a token.

 

Tokens2:

Tokens2 is a node.js open source project available in github: https://github.com/bhajian/tokens

Tokens2 is a token based authentication module that works based on two tokens: 1- json web token (jwt) ensures the used is logged in is a valid user 2- access token which makes sure the user is not invalidated

protocol

Tokens2 has two apis:

  • Authentication : Receives userName and user Model including password to verify the identity and authenticity of the user.
  • Verification : verifies if the user is a correct user and has access to the apis based on the information in the token.
    • Note: if the token is expired, access-token is verified. Access-token is persisted and can be invalidated. For example we can set 1 hour for the first token to be expired and use the access-token when the token is expired.

if the UserModel bellow is persistent model for user:

// User model used for authentication and verification.
var UserModel = {
  records : [
    { _id: 1, userName: 'jack', password: 'secret', displayName: 'Jack', emails: [ { value: 'jack@example.com' } ], save: function(){}, },
    { _id: 2, userName: 'jill', password: 'birthd', displayName: 'Jill', emails: [ { value: 'jill@example.com' } ], save: function(){}, }
  ],
  findOne: function(user, cb) {
    if(user._id){
      for (var i = 0, len = this.records.length; i < len; i++) {
        var record = this.records[i];
        if (record._id === user._id) {
          return cb(null, record);
        }
      }
      return cb(null, null);
    }
    if(user.userName) {
      for (var i = 0, len = this.records.length; i < len; i++) {
        var record = this.records[i];
        if (record.userName === user.userName) {
          return cb(null, record);
        }
      }
      return cb(null, null);
    }
  },
};

 

tokens2 Usage with express:

  var authenticate = require('tokens2').authentication.authenticate;
  var verify = require('tokens2').verification.verify;

  // This method is called if tokens are valid. The first token expires in 15 minutes.
  router.get('/', verify({
    userModel: UserModel,
    secret: 'superSecret',
    expiresIn: '15m',
    cryptoAlgorithm: 'aes-256-ctr'}), function(req, res, next) {
        res.json({'message': 'you have landed here.', newtoken: res.token});
      });

  // This method returns tokens if userName and password are correct
  router.post('/authenticate', authenticate({
    userModel: UserModel,
    secret: 'superSecret',
    expiresIn: '15m',
    cryptoAlgorithm: 'aes-256-ctr'}));

 

 

  • This site is really cool. I have bookmarked it. Do you allow guest post on your website ?
    I can write high quality articles for you.
    Let me know.

    • behnam

      Hi,
      Yes, We may allow guest articles if they the articles are high quality and are technical.
      Please send an email to imotif.net@gmail.com I will follow up with you.