Here are a collection of thoughts I have for securing the API: use JWTs.
for a guest user who is not signed in, they cannot access our API at all. The front-end will be challenged to generate appropriate signed JWTs sent to our backend API in order to access data. These tokens can be of the form
{
"scope": "guest",
"ip": 0.0.0.0
}
The scope will let us know that these are users who have not been logged in. The IP will let us apply IP filtering in case of DDoS-type attacks through the website itself.
for a user who is signed in, a UUID can be generated that is associated with their account. The front-end will be challenged to generate appropriate signed JWTs sent to our backend API in order to access data. These tokens can be of the form:
This allows the API to associate submitted signs via UUIDs which give us effective anonymity(?) in a public-facing API. You can only identify who is associated with an action in the API by connecting the UUIDs with the user accounts in the front-end's database of users. The API would be capable of looking up signs based on a given UUID (as would anyone else).
for a user who wishes to access our API programmatically, we need to provide a way for the user to generate a valid access token. This is the tricky part as we do not want to reveal the JWT secret that is shared between the API and the front-end. In this case, I suggest we use something like Auth0 to manage authentication/authorization for all of the above.
My guess is we can use Auth0 with a Third-Party Client (https://auth0.com/docs/clients/client-types#first-vs-third-party-clients) for the last two cases. For the guest case, we will let the website be a first-party-client. This allows us to use the same Auth0 application (our API) for 2 different types of users -- which helps to have something like Dynamic Client Registration.
Now with all that being said, since we use restify -- we can easily roll our own JWT validation solution (it's like maybe 20 lines) rather than using a node package like https://github.com/amrav/restify-jwt (which doesn't seem updated a lot).
Here are a collection of thoughts I have for securing the API: use JWTs.
for a guest user who is not signed in, they cannot access our API at all. The front-end will be challenged to generate appropriate signed JWTs sent to our backend API in order to access data. These tokens can be of the form
The scope will let us know that these are users who have not been logged in. The IP will let us apply IP filtering in case of DDoS-type attacks through the website itself.
for a user who is signed in, a UUID can be generated that is associated with their account. The front-end will be challenged to generate appropriate signed JWTs sent to our backend API in order to access data. These tokens can be of the form:
This allows the API to associate submitted signs via UUIDs which give us effective anonymity(?) in a public-facing API. You can only identify who is associated with an action in the API by connecting the UUIDs with the user accounts in the front-end's database of users. The API would be capable of looking up signs based on a given UUID (as would anyone else).
for a user who wishes to access our API programmatically, we need to provide a way for the user to generate a valid access token. This is the tricky part as we do not want to reveal the JWT secret that is shared between the API and the front-end. In this case, I suggest we use something like Auth0 to manage authentication/authorization for all of the above.
My guess is we can use Auth0 with a Third-Party Client (https://auth0.com/docs/clients/client-types#first-vs-third-party-clients) for the last two cases. For the guest case, we will let the website be a first-party-client. This allows us to use the same Auth0 application (our API) for 2 different types of users -- which helps to have something like Dynamic Client Registration.
Now with all that being said, since we use restify -- we can easily roll our own JWT validation solution (it's like maybe 20 lines) rather than using a node package like https://github.com/amrav/restify-jwt (which doesn't seem updated a lot).
A good tutorial that covered all of this is here: https://scotch.io/tutorials/building-and-securing-a-modern-backend-api