We have a Meteor app and an Express app. Both apps are using the same database.
What is the right strategy to use authenticate a call to the REST api with the currently logged-in user?
Note: those are 2 separate apps so using WebApp.connectHandlers is not an option
I guess that Express is serving the REST API and you want to access this REST API via the Meteor app?
In this case I would use the Meteor server to generate a special token using this library:
Both servers would know the same “secret”, so Meteor can create the token, and the Express app can validate it. As the token payload, you could use the user id, which would be transferred openly as well, as part of the URL or as part of POST data. The receiving server (Express) uses this user id in combination with the token to validate the latter. This ensures the token has been generated by the user in question.
(This approach works even without a shared database, because all both sides have to know is the secret and the user id. Which also means that you don’t have to query the user record from the database for validation purposes when processing the REST request.)