[Feature] Add an apiKey Parameter to all Back-End API Requests

elchris commented 4 years ago

User Story

This is in preparation for some future enhancements to the API allowing multiple entities to interact with it.

please add an &apiKey= parameter to all http requests to the API. If you wish to use an x-api-key header instead of a url parameter, that will work too.
obtain the value of the key from our 1Password > Engineering > "apiKey for rebuildblackbusiness.com front-end"
be sure to NOT insert the key in the source code, please load it up from a local .env file

Acceptance Criteria

[x] All calls to https://api.rbb-api.com now have an apiKey= parameters OR they send an x-api-key header
[x] The value of the parameter matches the value found in the 1Password vault
[x] The value of the apiKey does not appear anywhere in GitHub in this project
[x] The value of the apiKey does not appear anywhere in GitHub on any other project, including testing suites, please be sure to use .env files for those as well
[x] Production should be using the key marked as "for Production" in the 1Password secure note
[ ] Staging should be using the key marked as "for Staging" in the 1Password secure note
[x] Folks working doing local development on this project, when testing locally, should use the key flagged as "for Local Development" in the 1Password secure note

Is your feature request related to a problem? Please describe.

We are looking to open-up the API to certain parties, and we would like to start tracking all API usage to precise owners. The keys in this issue will be "system keys".

Developers will later-on be able to register their own accounts and manage their own keys.

Describe the solution you'd like

racedale commented 4 years ago

@elchris Is there a reason to send the API key as a Query Param rather than an x-api-key header?

elchris commented 4 years ago

@elchris Is there a reason to send the API key as a Query Param rather than an x-api-key header?

not particularly, i'm cool with x-api-key header. Some folks like to test and troubleshoot "GET" endpoints by "simply pasting a URL in a browser", but I do like the header approach because it's more elegant to implement client side.

So yes feel free to just use an x-api-key header and my implementation will know to look for that.

@racedale

mbifulco commented 4 years ago

Gonna spend some time on this today

Rebuild-Black-Business / RBB-Website