how to secure a JSON RESTful API for both mobile and AJAX calls?

Question

how to secure a JSON RESTful API for both mobile and AJAX calls?

I'm building a JSON RESTful API built with node.js and express.js,

the API will be accessed both by client side AJAX calls (from Ember.js) and by a native Android mobile app (standard HTTP requests).

I'm looking into two things:

1) authentication - how to know which user is accessing the API, in development I used an API key for each user and passed it in the request header

2) security - how to make sure only real authenticated users access private data.

are API keys a good strategy both for native mobile clients and for AJAX calls ? (user sends user+pass to the API and receives an API key, which is then used for creating additional requests)

should I be looking at something like OAUTH (1 or 2) ? I currently don't have plans for 3rd party applications to access the API so I don't need Authorization, but this can change in the future.

does it mean that I need to have my own OAUTH provider server ?

node.js
rest
oauth
express
oauth-2.0

Answer 1

You may use the express.js sessions for normal authentication with a session key stored in the session store. For compatibility with non-cookie REST calls, you may use an additional field, "mySessionId", added to the query or to the body of the request. Then modify your authentication verification to check for that extra field. Perhaps an example would be more useful:

In express:

var server = express.createServer();
server.use(express.cookieParser());
server.use(express.session(sessionInfoObject));
server.get("/path/to/endpoint", function(request, response) {
    if(typeof(request.query.mySessionId) != "undefined") {
        // authenticate with the session id in mySessionId
        // eg: if (getSession(request.query.mySessionId).isAuth) {}
    }
    else {
        // session authentication, use request.session
        // eg: if (getSession(request.query.mySessionId).isAuth) {}
    }
});

If you choose to go down this path, make sure that when you authenticate the user, you also add user-related data in the session. It will make your life a lot easier. Example:

if(authenticated) {
    request.session.isAuth = true;
    request.session.customId = customId;
}

There are alternatives, but this is the one that i find easiest.