My application consists of a nodejs API in the backend but I'm also creating the Referencing implementation of a JavaScript client, which is a SPA in done with Backbone.
First, the API only accepts HTTPS requests, in case an HTTP HTTP arrives on the server it ignores it completely and optionally can invalidate the password used in that request .
My server does not save state (no session / cookies) and I only use basic HTTP authentication in , where I provide two ways to authenticate a request :
1- Submit credentials in header : Authentication: base64('Basic ' + nomeDeUsuario:senha)
2- Send a request authenticated with method 1 to GET /usuarios/atual
that returns a token, which is an encrypted string * containing: nomeDeUsuario + '|' + dataDeExpiracaoDoToken
. The client then sends the header Authentication: 'Token ' + base64(nomeDeUsuario:token)
.
* Encryption made with OpenSSL's aes-256-ctr algorithm. The private key is the hash of the user's password.
The method 1 can be used for server-to-server communication, so it is not suitable for the JavaScript client, because for all requests the user would have to enter their credentials unless such credentials were stored in the browser memory, which I do not know if it is safe enough . In addition, storing the credentials in the local storage would keep the user logged in indefinitely.Method 2 The JavaScript client sends only an authenticated request with basic authentication and immediately discards this sensitive login information, storing only the token in the local storage. After a certain time this token will expire and a revalidation will be needed, almost emulating a session on the server.
On the server side I check the authenticity of a request made with method 2 simply by getting the hash of the user's password and trying to decrypt the token, so I check tokenDescriptografado.split('|')[0] === username
.
Is this a safe approach? Is there a point I'm not taking into account? Given this approach, what kind of attacks would I be subject to?
* This is a # of a question I asked in Information Security