Need help doing authentication the right way..

#1

Greetings again (tho my last post got no response, I guess the question in the post didn’t make sense or not worth…) !

I’ve been exploring with Crossbar.IO and happened to be concerned if I am doing things right way especially for authentication.

To give a brief context,

I have a dynamic authenticator guest worker written in JS.

  • myapp.authenticate

I have an express.js web server

I have multiple domains (not actual domain but separating users and devices to their own customer’s company) that group users

I have users who connect to the express.js web server and also connect to Crossbar to get realtime updates.

I have devices that connect to Crossbar to update its state and receives command from users or via HTTP bridge

For User -

When the user logs in on a browser and hits /login endpoint in express.js, express.js will authenticate the user.

Then the browser will try connecting to Crossbar with {authextra: { authType: 'user' }} using ticket authentication myapp.authenticate.

myapp.authenticate will check the auth’s authType then look up user DB to match the ticket secret and return account_id as authid.

For Device -

When the device wakes up, the device will try connecting to Crossbar with {authextra: { authType: 'device' }} using TLS authentication myapp.authenticate.

myapp.authenticate will check the auth’s authType then does its auth.

I have two questions,

  1. should user and device use the same myapp.authenticate with authType? or should I separate them as myapp.users.authenticate and myapp.device.authenticate?

  2. should express.js authenticate user at all from the first place? My logic is that express.js has been always authenticating users and for the sake of its middleware, it just felt natural to do it on express.js then to have WAMP session I needed to authenticate it with Crossbar…

Thanks for reading and may the force be with you.

0 Likes

#2

Hmmmm, a bit to process here but my opinions on the matter are:

  1. Given your authentication works via either WAMP-TLS or WAMP-Ticket it might well make sense to split out the dynamic authenticator code
  2. That depends. Does the express side of things need to do work with the authenticated user?
0 Likes

#3

Thank you VERY much for your opinion Adam!
I was a bit lost as it was a pretty new field for me.

so now I see how my websocket transport setup can be.

serving devices auth will be done via TLS and users auth via ticket would be the way to go I believe (and WAMP-CRA for my backend?)

on the second questions, now I think express js does not need to work with the authenticated user. I was just concerned about decoupling the backend and web app side and as express js serves web users, I just thought it has to be involved in the authentication in case I add more webapp specific features.

huge thanks again for clarifying it for me.

···

On Tuesday, December 5, 2017 at 9:11:34 PM UTC+11, Adam Jorgensen wrote:

Hmmmm, a bit to process here but my opinions on the matter are:

  1. Given your authentication works via either WAMP-TLS or WAMP-Ticket it might well make sense to split out the dynamic authenticator code
  2. That depends. Does the express side of things need to do work with the authenticated user?
0 Likes

#4

Just one more question if please…

I stated that I’d use WAMP-Ticket for authenticating users but I believe WAMP-CRA is a better suit for the user authentication.

I wanted to authenticate my backend services statically in the config file since I don’t want to add backend credentials in my DB.

And I want the users to authenticate dynamically. what’d be the way to achieve both?

should it have two endpoints (one for users, one for backend) open with different port settings?

Cheers!

···

On Tuesday, December 5, 2017 at 9:11:34 PM UTC+11, Adam Jorgensen wrote:

Hmmmm, a bit to process here but my opinions on the matter are:

  1. Given your authentication works via either WAMP-TLS or WAMP-Ticket it might well make sense to split out the dynamic authenticator code
  2. That depends. Does the express side of things need to do work with the authenticated user?
0 Likes