- Web Framework: Expressjs https://expressjs.com/
- DB: MongoDB through mongoose ORM https://mongoosejs.com/
- OAuth with Github OAuth2.0 apps and passportjs http://www.passportjs.org/packages/passport-github/
- JWT through jsonwebtoken
In progress.
Currently runs on localhost:4000/api
This backend is designed to login a user and pass them a JWT to access all other Cyber Challenge APIs.
Current Flow (Github OAuth):
- Client clicks a login
<a></a>
and is directed to this backend (Challenge Auth Service) athttp://localhost:4000/api/auth/github
- Challenge Auth Service authenticates through
authorization-grant
OAuth flow with github. - Challenge Auth Service redirects the user back to Frontend, but with a 30-second expiring
refreshToken
JWT passed through the URL search params. - Frontend performs a POST to
http://localhost:4000/api/auth/exchangetoken
with therefreshToken
in theAuthorization
header under the format'Authorization': 'Token refreshToken
- Challenge Auth Service generates a long-lives (12-hour)
accessToken
JWT and returns it to the Frontend in a Json body:
{
accessToken: <accesstoken>
username: <username>
}
- Frontend should save
accessToken
either in a cookie (can be vulnerable to CSRF), localStorage (can be vulnerable to XSS), or in memory (most secure).
After cloning, a .env
file should be create with the below sample configuration:
GITHUB_CLIENT_ID=<IDFromGithubOAuthApp>
GITHUB_CLIENT_SECRET=<SecretFromGithubOAuthApp>
GITHUB_CALLBACK_URL=<server-host>/api/auth/redirect
FRONTEND_SERVER=<frontend-host>
https://developers.google.com/identity/sign-in/web/backend-auth