I am trying to wrap my brain around building an express.js / node.js based REST API. I have a couple of questions...
Do I NEED token based / oauth 1 or 2 security for my api if I'm only concerned about a web application right now (not necessarily phone apps)
Are there any resources to learn how to build this from scratch? I've read literally the first 3 pages of googling "rest api with oauth2 authentication express.js" and i'm still not grasping it.
Its good that you want to do a REST API in node. Its really good in building API based request.
For your question:
1) If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". If not then most likely, you don't need to implement OAuth.
But if your data is sensitive, such as private user data, then you need to put some sort of security layer on your API. Also, using OAuth or other token based security can help you build a better permission checking across your user base.
2) You first need to grasp the concept of OAuth. Once you have the idea of how OAuth works, then its really easy to implement in your chosen language.
Here are some good reads on how you can understand OAuth better
http://www.slideshare.net/MindfireSolutions/oauth-and-rest?qid=09a7d224-78bb-4b47-8957-3f0a0ce809a4&v=qf1&b=&from_search=3
For more detailed info about OAuth: http://tools.ietf.org/html/rfc6749
Again, once you understand the workflow of OAuth, you can implement it easily. :P