I have a very simple node.js app built on express which has been handling authentication using a session memory store. Basically a user logs in by:

app.post('/sessions', function(req, res) {
            // check username/password and if valid set authenticated to true
        if (authenticated){
            req.session.user = req.body.username;
                } ...
});

Then in each call from the browser a requiresLogin middleware function is called which checks to see if that user property on the session has been set.

I’m now transitioning the app to basically just provide a service that may or may not be consumed in the browser, so instead of using cookies/sessions, I’m considering changing the system so that one would post to /getToken (instead of /sessions) which would return a temporary random token associated with a user’s account that could then be used for a period of time to access the service. Using the service would then require a valid token to be included in each call. (I assume this would be better than passing the username/password each time so that the password would not have to be stored in memory on the client’s computer after the call to get token?)

Would such a system basically be just as secure as the above current system or Is there a much more standard/safe way to handle this? What’s the standard way to handle something like this?

Thanks in advance for you help!