Merc Merc - 1 month ago 5x
Node.js Question

Generating API tokens using node

I am writing an app that will expose an API. The application allows people to create workspaces and add users to them. Each user will have a unique token. When they make an API call, they will use that token (which will identify them as that user using that workspace.

At the moment I am doing this:

var w = new Workspace(); // This is a mongoose model = req.body.workspace;
w.activeFlag = true;
crypto.randomBytes(16, function(err, buf) {
next(new g.errors.BadError503("Could not generate token") );
} else {
var token = buf.toString('hex');

// Access is the list of users who can access it. NOTE that
// the token is all they will pass when they use the API
w.access = { login: req.session.login, token:token, isOwner: true }; function(err){
next(new g.errors.BadError503("Database error saving workspace") );

My question is: is this enough? I don't think I will have billions of users (there is always hope :D ); however, is this a good way to generate API tokens?

Or, since the token is name+workspace, maybe I should do something like md5(username+workspace+secret_string) ...?



If you using mongodb just use ObjectId, othewise I recommend substack's hat module.

To generate id is simple as

var hat = require('hat');

var id = hat();
console.log(id); // 1c24171393dc5de04ffcb21f1182ab28