How We Think About Securing Express.js APIs in 2024

1

Permit.io

When the third case starts popping up, that's when an authorization provider like Oso or Permit.io starts to sound appealing. Centralized, easily readable authorization logic combined with easy queries for "what users are allowed to perform this action?" sounds great when your authorization logic starts to get a bit too complex. And we're finding a few cases where our authorization logic is getting too hard to reason about, so we're also considering switching to an authorization provider.

#Identity And Access Management #Identity Provider #SSO 16 social mentions

2

Oso

When the third case starts popping up, that's when an authorization provider like Oso or Permit.io starts to sound appealing. Centralized, easily readable authorization logic combined with easy queries for "what users are allowed to perform this action?" sounds great when your authorization logic starts to get a bit too complex. And we're finding a few cases where our authorization logic is getting too hard to reason about, so we're also considering switching to an authorization provider.

#Developer Tools #Access Control #Open Source 7 social mentions

3

JSON Web Token

We prefer randomly generated access tokens that we store in MongoDB using an AccessToken Mongoose model over JWTs. JWTs are faster, because you don't need a database round trip to validate a JWT.

#Identity Provider #Identity And Access Management #SSO 300 social mentions

4

Auth0

Securing your Express.js API involves a lot of tradeoffs. Do you use cookies or authorization header, JWT or access token? Do build your own authentication or use something like Auth0? Do build your own authorization or use a service like Oso? In this blog post, I'll cover how Mastering JS currently thinks about security for the numerous Express APIs we maintain.

#Identity And Access Management #Identity Provider #SSO 193 social mentions