Node.js - OAuth 1.0 Server/Client Model Implementation Needed
I am looking for a server/client implementation of OAuth 1.0 two-legged authentication.
This is intended to be implemented as security for a Web API. Both the server and client will belong to me, however, not all members on my website should be able to access API data, and some should only have certain levels of access according to their roles. This must be accomplished using the two-legged model.
This should be a server implemented with node.js. The server should be able to respond to the client requesting access and perform OAuth 1.0 two-legged authentication. Using Passportjs is optional.
This should be a PHP client which performs the following:
- sends consumer key, consumer secret, callback URL in order to authenticate with OAuth 1.0
- the client should also send a user identifier (an integer) so that the server knows which user is requesting access and can map against defined roles to determine which level of access the user should be granted
- Must include a solution to keep consumer key and consumer secret 'fairly' hidden. This comes with the understanding that nothing is 100% secure, and I'm only looking for a solution that is safer than keeping consumer key and consumer secret in plain text that is publicly accessible. Does not need to be over-complicated. Also, note that since the consumer key and consumer secret are at an application level, they will always remain the same. The only changing item should be the user id.
Here is the expected client/server flow:
- should be a state where a user id is logged in to the application and now needs API access (Note: I do not require login/logout functionality in this implementation, a simple changable variable will work, i.e., $curr_userid_logged_in=1;)
- sends request to server to be authorized
- receives request and identifies user based on id
- determines user role by referencing a dummy account data source (source can be json file or mysql db). The levels should be: a=admin level, r=regular member, p=pro member. Other account data should include dummy first name and last name and email.
- return user role info
- display message to show: the user id of user logged in, the access role of the user, user account first name, user account last name, user account email
Expectations in delivering:
- Files and directories should be clearly organized.
- Code must be THOROUGHLY documented.
- Must come with THOROUGH documentation on how to implement and test in a localhost.
All applicants should have attention to detail, to test that, I would like to ask applicants to include a section with a heading "QUALIFICATIONS", followed by an explanation of why you would be qualified for this job. This will also demonstrate to me that you know how to follow instructions and this is very valuable to me. This may overlook any other applicants who might be fully qualified but failed to follow the requirement.
Also, please keep in mind that while this is a single project, I am in the process of building a web brand and product, and will be looking for to hire for permanent positions in the future.