I am implementing a REST API for our mobile applications in which user will login using the SDKs of various social media. Currently, the login strategy is as follows:
- The token(s) (access_token in case of Facebook, access_token and refresh_token in case of Google+) being generated by the SDK are being sent to the login endpoint of the API server.
- Upon verification of the token (using the respective endpoint of the social application), a JSON Web Token signed by a random string is generated and returned it to the application, which then persists it in a secure key-value store. This token will be kept an authorization header for any other requests.
- The presence of the token means the user is logged in. When the user logs out (or the social media session expires), the token is deleted.
I have the following questions about this strategy:
- The token payload consists of the user id as well as an issue date. Currently, there is no expiry mechanism being implemented. Is this required in this case?
- Is this strategy secure? Can you see any shortcomings/loopholes in it?
- What strategy should be used to secure the login endpoint?
Aucun commentaire:
Enregistrer un commentaire