As of today, the API is NOT secure at all. Main pain points are : the API is opened to use for anybody, it doesn't require any credentials for an application to use, and the user cannot select the permissions it gives to an application. To fix all these mistakes and have a secure access to data for all applications and users, we should implement the most recent standard for APIs, namely OAuth2.0
Steps
These steps are mandatory to say that the API is safe to use, and protected against malevolent users :
[x] Create an application model with public and private keys
[x] Create an application for the frontend, and add the keys when making the request in the proxy route
[x] Mount the private and public keys as environment variable in the server side of the frontend
[x] Pass these keys when making a request on the backend
[x] Close the API to be used ONLY by authenticated apps
API is now only accessible to registered apps
These steps are mandatory for OAuth2.0 :
[ ] Isolate the login and the registration forms into a separate application
[ ] Add the rights granting form when an application does not have any implicit grant system
[ ] Make the frontend application having an implicit grant in the database
[ ] Add any data regarding redirect URIs, etc.
[ ] Insert the registration and login forms in the frontend as IFrame
[ ] Redirect to a page inserting the authentication token in the localstorage when login is successful
[ ] Add a system to renew tokens when they are expired
Context
As of today, the API is NOT secure at all. Main pain points are : the API is opened to use for anybody, it doesn't require any credentials for an application to use, and the user cannot select the permissions it gives to an application. To fix all these mistakes and have a secure access to data for all applications and users, we should implement the most recent standard for APIs, namely OAuth2.0
Steps
These steps are mandatory to say that the API is safe to use, and protected against malevolent users :
API is now only accessible to registered apps
These steps are mandatory for OAuth2.0 :