Protect REST API after social login with Node.js and Express.js

TL;DR

Scenario

This flow solves your troubles!

Social login validation authentication flow, read the transcript below.
  1. when a User does the social login, the Social network will give back a “social access token
  2. the App sends the “social access token” to the Server
  3. the Server validate the “social access token” against the Social network API
  4. the Social network API will return the user profile
  5. the Server issues a “user token”, and gives it to the App, along with the “user profile“ information
  6. the App can display the “user profile” information, that comes from you Server
  7. the App asks the Server for a protected resource, using the “user token
  8. the Server validates the “user token”, and returns the protected resource
  9. the App can now display the resource, everyone is happy and secure.

1. User does the social login

{
“token_type”: “Bearer”,
“access_token”: “[a complex string I won’t share]”,
“scope”: “https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.me openid email profile”,
“login_hint”: “[a complex string I don’t want to share]”,
“expires_in”: 3600,
id_token”: “[a even more complex token I won’t share]”,
“session_state”: {
“extraQueryParams”: {
“authuser”: “0”
}
}
}
{
"authResponse": {
"accessToken": "[a complex string I won’t share]",
"userID": "[your user id]",
"expiresIn": 4003,
"signedRequest": "[a even more complex string I won’t share]"
},
"status": "connected"
}

2. App sends the “social access token” to the Server

3. Server validates the “social access token” against the Social API

given a google id_token, this function verify it against google API.
{
"token": "fyJtbGyiOiJIUzI1NiIsInR5cCI6IkpXVCJ9.k_yJzdWIieqIxMTA3MTc1NDExMzA0MzQ3MTY1OTYiLCJleHAiOjE1MTc0OTM0MzQsImlhdCI6MTUxNzQ4OTgzNH0.lttUzw4zm7BmKzQxuyhoN94Dc0T3arqu8d12YzMeSE8",
"user": {
"name": "your name",
"pic": "https://lh5.googleusercontent.com/-QB9JJeft6oE/AAAAAAAAAAI/AAAAAAAAAAA/ACSILjV0dkHDv9VERWljVuekRs8GNZW-ew/s96-c/photo.jpg",
"id": "[your google id]",
"email_verified": true,
"email": "your.email@gmail.com"
}
}

4. Social API returns the user profile

  • The first time is to get an “app access token” authenticate your client (Facebook App)
  • The second time is to validate the “social access token” using the “app access token
  • The last time is to get the user profile

5 . The Server issues a “user token”, and gives it to the App, along with the “user profile“ information

{
"token": "fyJtbGyiOiJIUzI1NiIsInR5cCI6IkpXVCJ9.k_yJzdWIieqIxMTA3MTc1NDExMzA0MzQ3MTY1OTYiLCJleHAiOjE1MTc0OTM0MzQsImlhdCI6MTUxNzQ4OTgzNH0.lttUzw4zm7BmKzQxuyhoN94Dc0T3arqu8d12YzMeSE8",
"user": {
"name": "your name",
"pic": "https://lh5.googleusercontent.com/-QB9JJeft6oE/AAAAAAAAAAI/AAAAAAAAAAA/ACSILjV0dkHDv9VERWljVuekRs8GNZW-ew/s96-c/photo.jpg",
"id": "[your google id]",
"email_verified": true,
"email": "your.email@gmail.com"
}
}

6. The App can display the “user profile” information, that comes from your Server

7. The App asks the Server for a protected resource, using the “user token

8. The Server validates the “user token”, and returns the protected resource

  • check the token existence
  • validate the token signature
  • check the token expiration
  • check user grants for a specific resource (optional but useful)
  • the presence of the token
  • signature and temporal validity of the token

9. The App can now display the resource, everyone is happy.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store