How to use JWT for a proxy server written using Node.js?

Question

This is absolutely a newbie question & I am Node.js beginner.

I am not sure, this is right place to ask this question. But I may need idea from this large community. So let me explain what I am trying to do.

Server Configurations:

1. Node.js - 4.0.0
2. Hapi.js - 10.0.0
3. Redis

Scenario:

I am writing a proxy server in nodejs using hapijs. My Backend is ATG based e-commerce website and my api's are going to be consumed by web browser, mobile app etc..

We planned not to send the cookies sent by ATG to both browser and mobile.

So to maintain sessions and cookies from ATG,this is how we done POC.

First We planned without considering storing the anonymous user cookies returned from ATG. So we have done two POC's.

(Many of us know, what anonymous cookie is,any way let me explain that, if I put that one word -- Guest Checkout. There are many ways to accomplish this. But my Commerce Backend is implemented like this, When we go to website, you add items to cart and checkout that items without logging in right ? This what happens on background whenever we add the items they are only stored in your browser cookie,it not stored in persistent database, in any case user wants to login/signup to the account that cookie is retrieved from the browser and stored in database (basically that anonymous cart is transferred to logged in user.))

POC-1 (Not Considering Guest Checkout):

1. To access my api, user must be logged-in, after the successful login, We generate a rand-token and store it in Redis db associated with the cookies sent from the ATG for logged-in user and set ttl for 1 hour and return that token to the client

2. Now whenever they invoke any of api methods, they should send the token in the authorization header, I will check for token validity and expand the ttl once again for 1 hour and retrieve the cookies associated with that token, set that cookies in ATG request options and make a request.

3.On logout, I will clear the cookie and delete the token.

I have successfully implemented JWT fot this scenario, by generating a JWT token with user logged-in information in jwt payload. Used hapi-jwt-auth2.

POC-2 (With Maintaining Guest Cookies),

1. My API Will have endpoint /auth/generatesession, which in turn will return a 64 byte random token (we are using rand-token npm module for that) which will expire in 24 hours.

2. All the methods needs that access token passed back to me in authorization header and I will extend that token ttl to 24 hours.

3. Now they can invoke any api methods, like addtocart or something, even after adding items to cart , suddenly they want to login or something I can use their guest session cookie and transfer that cart to persistent database after successful login.

Questions:

1. Should I use JWT for the second scenario? If so,
2. How can I implement JWT for the Second Scenario? (Coz, don't know about who is the user?)
3. Does anyone think this is good idea for writing proxy server like this?
4. How can streamline session expiry of this token with ATG session Expiry?
5. Does anyone of using Node.js like this? How does it scale ?
6. If anyone care to give me an idea how to write this proxy server, it will be much helpful for me.

I Apologize, if this is too long question, just my way of explaining things.

Thanks in advance.

Answer 1

1. Sure, why not?
2. You don't necessarily need a user. A JWT stores arbitrary data, the username can be blank or anonymous. If a user logs it, and provides a token associated with a guest cart, then it can be assumed that that user is allowed to claim the contents of that cart, and the anonymous cart can be destroyed.
3. Sure, this is quite common (disclaimer: I've worked on something very much the same as you).
4. TTL is reasonable, but I have no idea what ATG is or how it handles it.
5. Yes. It scales very well as long as you ensure your servers are stateless, and that you manage all your state through something like Redis.
6. Too broad of a question, I would just use Express + Redis/Mongo/Postgres.