More of a general point-out-the-flaws question about some proposals for implementing a token based authentication system, motivated by the fact Node.js does not seem to have something ready made.
Since we want to build a state-less API server for manipulating our data store, we want to provide our users with an auth token (a 'ticket to ride') which will be included in each call to the API.
Question is how to generate this token in a secure way.
[idea 1] - The user requests an auth token by sending (user-id,password-hash) to server - server responds with (user_id,expiry_date) , signed by the API servers random Key - server can check validity of token on every request - server would need to store tokens for a limited period of time
[idea 2] - Same as above but avoid sending of password hash - User requests an auth token - Server sends the user a challenge, the user then hashes the challenge with his (user_id,password_hash) pair - Server validates this and then generates token as per idea 1.
[idea 3] - Use the password hash itself as an auth token, sent in every request, to avoid the token management problem - Simpler but then no time-limitedness
[idea 4] - Same as 2 but the challenged_hashed_by_(user_id,password_hash) becomes the token and sent in every request
Thanks for any pointers
Did you look at oauth 2.0 : http://hueniverse.com/2010/05/introducing-oauth-2-0/
There's also quite a lot of librarya that can handle it for you
You can use OAuth 2.0 with Passport. Passport itself has a good example on how to use it and it's a proper solution for securing stateless APIs without sending the user password on every request.