skip to Main Content

I am currently working on a chatbot for Facebook Messenger. I am working with the Microsoft bot framework and the code is written in node.js.

I am interacting with a database through an api. With every request I have to pass an access token inside the request header. I have read on the internet that you would usually store such a token inside a cookie or web storage. However I also found out that you can’t do that on Facebook Messenger. I was thinking about storing the access token inside a variable, but my concern is that this might not be secure. Is there any other secure way to store the access token?

I am fairly new to node.js and it is my first time working with tokens. Help is much appreciated.

3

Answers


  1. You can use session.userData to hold your database token. If you are concerned about it being secure, then encrypted it before saving.

    session.userData.dbtoken = encryptToken(token);
    

    The token can later be retrieved and used when you need it:

    var token = decryptToken(session.userData.dbtoken);
    var databaseData = getUserDataFromDatabase(token);
    

    https://docs.botframework.com/en-us/core-concepts/userdata/

    Or, use a local database like NeDB: https://github.com/louischatriot/nedb This would be the most secure option, since the database would reside on your server.

    Login or Signup to reply.
  2. Assuming this token does not change, you can store it as an environment variable, say TOKEN and access it in nodejs app as process.env.TOKEN.

    Login or Signup to reply.
  3. I would suggest using express-session. for the following reasons.
    Create a session middleware with the given options.

    Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.

    Note Since version 1.5.0, the cookie-parser middleware no longer needs to be used for this module to work. This module now directly reads and writes cookies on req/res. Using cookie-parser may result in issues if the secret is not the same between this module and cookie-parser.

    Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search