How should I handle authentication for a simple iPhone chat app?
Backend
I'm building the backend using two application servers:
Sinatra REST Server
It lists users & old messages.
Node.js WebSocket Server
It sends & receives new messages.
Proposal
When a user signs up or logs in, the REST server returns an access token.
The iPhone app passes that access token to the WebSocket server on connection.
The WebSocket server derives the user ID from the access token.
Thoughts
I want to do the least amount of work that will make the app reasonably secure.
iPhone App Authentication: Store a shared
cleint_secret
on the iPhone app using Keychain Services. Pass theclient_secret
to the REST server for the sign-up & log-in requests. This allows the REST server to verify all requests are coming from the iPhone app and thus prevent attackers from signing up or logging in from other clients. Facebook authenticates iOS apps by only using app & bundle IDs. That would be cool because then I wouldn't need create aclient_secret
, but I'm not sure how they do it.Access Token Generation: It'd be cool if the user ID was somehow encrypted in the access token with a secret shared between the REST & WebSocket servers. Then, the WebSocket server could use the shared secret to verify the access token and extract the user ID from it. Is that possible? If so, what is a secure algorithm to achieve that? I think I can do this with HMAC, where the message is the user ID. If so, which HMAC algorithm should I use? Here are some of my recent thoughts on how to generate an access token. Something like HMAC would be cool because then I wouldn't need to store access tokens for every user ID, e.g., in a Redis database. Although, maybe that's what I should do. Because now that I think about it, if I use something like HMAC, and a user's access token is stolen, then how would I reset that access token without reseting all of them?