Where should I store access token

Asked 19/4, 2017 at 12:51 Answered 26/8, 2020 at 16:30

Solved node.js botframework facebook-messenger

I am currently working on a chatbot for Facebook Messenger. I am working with the Microsoft bot framework and the code is written in node.js.

I am interacting with a database through an api. With every request I have to pass an access token inside the request header. I have read on the internet that you would usually store such a token inside a cookie or web storage. However I also found out that you can't do that on Facebook Messenger. I was thinking about storing the access token inside a variable, but my concern is that this might not be secure. Is there any other secure way to store the access token?

I am fairly new to node.js and it is my first time working with tokens. Help is much appreciated.

Jacobjacoba answered 19/4, 2017 at 12:51 Comment(8)

"With every request I have to pass an access token inside the request header." Why ? – Freak 20/4, 2017 at 7:49

@Bob Swager I have implemented account linking. The user has to enter his username and password. I send a post request with those two values. If an entry with the given credentials exists in the database I get an access and refresh token. I have to pass the access token with every request in order to send personalized data to the user. – Jacobjacoba 20/4, 2017 at 9:26

I'm sure that you have unique id for every user. Right ? You don't have to refresh token every time. – Freak 20/4, 2017 at 9:32

@BobSwager Yes I have a unique user id. Could you elaborate on what you mean by "You don't have to refresh token every time."? – Jacobjacoba 20/4, 2017 at 9:48

When user has linked successfully his/her account, you can get proper data from database. Why you need to refresh token ? – Freak 20/4, 2017 at 9:51

@BobSwager I need the refresh token in order to refresh the expired access token. However the refresh token is actually not my problem because we store it inside the server. My problem is that I don't know where to store the access token. – Jacobjacoba 20/4, 2017 at 12:26

Why you want to store access token when you are using account linking ? – Freak 20/4, 2017 at 13:10

I need the access token in order to get data from the database. I am doing an internship at a company and this is how they designed their API!! I have to work within confines!! @BobSwager – Jacobjacoba 20/4, 2017 at 15:6

You can use session.userData to hold your database token. If you are concerned about it being secure, then encrypted it before saving.

session.userData.dbtoken = encryptToken(token);

The token can later be retrieved and used when you need it:

var token = decryptToken(session.userData.dbtoken);
var databaseData = getUserDataFromDatabase(token);

https://docs.botframework.com/en-us/core-concepts/userdata/

Or, use a local database like NeDB: https://github.com/louischatriot/nedb This would be the most secure option, since the database would reside on your server.

Hanseatic answered 20/4, 2017 at 21:50 Comment(3)

Would it add to the security if I encrypted the data before storing it inside the local database? – Jacobjacoba 21/4, 2017 at 9:14

"Would it add to the security"? Encrypted data is generally more secure than data that is not encrypted. However, if an attacker gains access to the source code, and the encrypted token: they would also be able to decrypt the token. I don't know all of the requirements, or details surrounding your particular project. – Hanseatic 21/4, 2017 at 20:42

How would you encrypt a token stored in nedb? Or is it not really needed? I'm storing API tokens so I don't need to reauthenticate every time the server makes a request. Instead, the token will last until it expires, then it will be updated through a script. For passwords, I use bcrypt, but this only is useful if you are checking the token or password for your API, not 3rd party APIs. – Driggers 6/8, 2019 at 1:55

I would suggest using express-session. for the following reasons. Create a session middleware with the given options.

Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.

Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser.

Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing.

Gladiator answered 26/8, 2020 at 16:30 Comment(0)

Assuming this token does not change, you can store it as an environment variable, say TOKEN and access it in nodejs app as process.env.TOKEN.

Hardiness answered 10/3, 2019 at 8:21 Comment(0)

Recommended topics

Hot tags