Hey guys,
I'm starting to work with NodeJS, and I'd like to know more about security. Basically I'm building a API and I want to protect it. Is passing a username and password enough? Do you guys have more experiences in security? Have some ideas?
Many thanks!
Read OWASP projects. For example the Application Security Verification Standard is a good start.
Also, it's never just passing a username and password, as there are so many things to keep in mind about how they are passed (transport security), how they were generated (long enough?), how they are stored (bcrypt / scrypt?), how sessions are handled (what if multiple people login using the same credentials? How to terminate a session? Should there be sessions at all?), how authentication verification is computed (and what attacks might be possible, for example timing attacks, D-/Re-/DoS, SQL/JS injection,...) and so on and so on.
It may be better to use API tokens for authenticating calls to your API. Another options are OAuth2 or JWT. Make sure that you allow connections only over HTTPS (especially if you decide to use OAuth2 since the protocol relies on TLS for providing confidentiality and integrity). In general, most of typical vulnerabilities for web apps (maybe exceptin XSS) apply to APIs (I assume we are talking about HTTP API). OWASP provides good info and guidelines. Good luck!
Sidhant Panda
Programmer
Passport is a great tool to get started with authenticating your APIs.
You can use the many 'strategies' available to signup users. You can use the token strategy to authenticate your API calls.
Next step would be add an SSL certificate to your server and use the secure
httpslayer to make your requests. You could head over to Let's Encrypt to learn more.