So I'm making a mobile app, which will use the API I'm writing. The API will be used only by the mobile app, and not by anyone else (maybe I'll allow others with a limited method set?).<p>The API itself, works except I'm concerned about:
- Security
- It being stateless<p>I'm using passport.js for user authentication, and a RedisStore for storing user sessions:<p><pre><code> app.use(express.cookieParser());
app.use(express.session({
secret: secrets.sessionSecret,
store: new RedisStore({ host: 'localhost', port: 6379 })
}));
</code></pre>
For api calls that require an authenticated user, I just check if the `req.isAuthenticated()` method is true or not. Pretty standard.<p>However, my reading and research suggests that API's that reply on sessions are poor design. How do I change that? What is a good, not complicated design for this kind of a model? What should I be doing given my use case? Any code samples?