I am building an API for a mobile APP. However, I want to also be able to allow other apps to use the API. If someone wants access to my API, they would request an clientKey and clientSecret that would be associated to that company (the one who is using the api). If someone makes a request to my API, given the clientKey I'd know which company is making the request and with the secret I could use HMAC signing to check authenticity. If a request is valid, then I will know which company is making the request and therefore can check if the request is valid for that company (a company would only be able to manage its own resources for example).
I am using node + mongoose + passport (for regular app users login).
Questions:
1) Does this seem like a good approach? 2) Are there any security flaws in this scheme? 3) Does anyone know a good stable node module that does this? 4) Any other thoughts are welcome
Long days and pleasant nights