0

I'm developing a web service that have following structure:

  1. Web Server: this is implemented with NextJS which do Server-Side Rendering and serve server-side rendered webpage data to Client.
  2. API Server: and this one is implemented with NestJS. Clients will send graphql queries/mutations to this server.
  3. Client: any clients can visit my web service and sign in (or sign up)

and I want to implement authentication feature for my web server, but problem is came up here. how can I share the auth data between Web Server, API Server, Client? if you signed in on your own browser, eventually a signing request will be sent to the API server.

but there's literally no way to know whether the client is signed in or not from Web Server. I mean, auth data (whether if user has signed in or not) will be stored only at API Server.

I had searched and spent a lot of time about this and I've got an answer that I have to use JWT Token but there were several ways to store it:

  1. Storing it on clients' web storage: I don't think this can be an answer since the Web Server shouldn't able to get clients' web storage data. this means SSR (server-side rendering) wouldn't work well.

  2. Storing it on Cookie: this is bad too. because we send a signing in request to the API Server that will be on different container (or server) and domain. we cannot set cookies from different domain with proper way. and if we get token and store it cookies directly from client side (setting cookie from javascript), It will be really huge security issue since attackers can take users' token with XSS.

  3. Using Cookie but set from other subdomains with specifying Domain: we can specify domain for setting cookie. as far as I know, a response from api.example.com can set cookies for example.com with specifying Domain property of Set-Cookies value. read this

yeah, method 3 seems pretty neat to have but I absolutely don't know that setting cookies from another sub-domains will cause big security hole. my web service will process about users' money so security issues will come very critical.

someone I know advised me that I can use reverse proxy with paths not domain. I mean, if API Server was serving on api.example.com, we can serve it on example.com/api/* so now we can share the cookies between all the server and client. but we should store cookies on web storage too since cookies will be flagged as HttpOnly. this will cause increasing complexity of development.

In this case, which method will be the best answer for my case? are these methods I've mentioned above are really safe to do?

sophia
  • 161
  • 1
  • 13
  • 1
    You need a db and a central sign in location – GetSet Sep 17 '20 at 02:32
  • @GetSet if I use db just for signing up, I think It will just increase complexity of web server since we have to store additional information just for authentication. – sophia Sep 17 '20 at 03:25
  • Authentication is very important as you know. The increased complexity justifies the need for security – GetSet Sep 17 '20 at 03:28
  • Maybe look into an api key implementation. That seems like what you need. Research Oauth2 – GetSet Sep 17 '20 at 03:31
  • You can save authenticated information in the Redis Database which is accessible to all server. It is quiet fast. So, you can use this in your authentication and authorization middlewares. – Amaranadh Meda Sep 17 '20 at 04:29

0 Answers0