Securing the API

[kratsg]

Here are a collection of thoughts I have for securing the API: use JWTs.

• for a guest user who is not signed in, they cannot access our API at all. The front-end will be challenged to generate appropriate signed JWTs sent to our backend API in order to access data. These tokens can be of the form

  {
  "scope": "guest",
  "ip": 0.0.0.0
  }

  The scope will let us know that these are users who have not been logged in. The IP will let us apply IP filtering in case of DDoS-type attacks through the website itself.

• for a user who is signed in, a UUID can be generated that is associated with their account. The front-end will be challenged to generate appropriate signed JWTs sent to our backend API in order to access data. These tokens can be of the form:

  {
  "scope": "general",
  "uuid": "123e4567-e89b-12d3-a456-426655440000"
  }

  This allows the API to associate submitted signs via UUIDs which give us effective anonymity(?) in a public-facing API. You can only identify who is associated with an action in the API by connecting the UUIDs with the user accounts in the front-end's database of users. The API would be capable of looking up signs based on a given UUID (as would anyone else).

• for a user who wishes to access our API programmatically, we need to provide a way for the user to generate a valid access token. This is the tricky part as we do not want to reveal the JWT secret that is shared between the API and the front-end. In this case, I suggest we use something like Auth0 to manage authentication/authorization for all of the above.

My guess is we can use Auth0 with a Third-Party Client (https://auth0.com/docs/clients/client-types#first-vs-third-party-clients) for the last two cases. For the guest case, we will let the website be a first-party-client. This allows us to use the same Auth0 application (our API) for 2 different types of users -- which helps to have something like Dynamic Client Registration.

Now with all that being said, since we use restify -- we can easily roll our own JWT validation solution (it's like maybe 20 lines) rather than using a node package like https://github.com/amrav/restify-jwt (which doesn't seem updated a lot).

A good tutorial that covered all of this is here: https://scotch.io/tutorials/building-and-securing-a-modern-backend-api

[kratsg]

Here's a list of pages from Auth0 that are going to seem related:

• Which OAuth Flow to Use
• How can a user access an API?
• Server API Authorization for non-interactive clients
• Implementing Client Credentials (might be useful)
• Server Client+API implementation introduction and example
• Verifying access tokens for custom APIs