I have a node.js file, which when run firstly authenticates the user by reading two strings from a JSON file.
However, a major problem with this approach:
JSON FILE
{
"id": "12345",
"apiKey": "foo"
}
JS FILE
if (jsonFile.id === "123" && jsonFile.apiKey === "foo") {
return true;
} else {
return false;
}
is that the user can change the values in the JS file to any value they want to put in the JSON file so they can authenticate anything.
One solution, I thought was using hashes with crypto, but the user can create a hash for any id or apiKey they want and change it in the files. The code will be obfuscated but I thought I would ask if there is a better way for this.
I don't want the program that I give the user to be able to run different apiKey's or id's, only the ones I have defined in the program and they should not be able to change it.
Thanks in advance.
Assuming your node.js file is running on your server and you are authenticating requests from your clients, then you should look at passport.js or another authentication library. Credentials should never be passed to a server in clear text, but even if your client changes the credentials, it doesn't mean they'll get authenticated on the server, because the server authenticates using a database of registered users. Your example suggests you are looking for "bearer token" authentication (apiKey), so here's a link to the passport-http-bearer docs on the passportjs.org website.