I'm working for a project which has multiple microservices. For Ex: AuthenticationService (Only to get authentication token), UserService(Get All Users with token), InventoryService(To get the inventory data with token) etc. GraphQL API Gateway is used to get the token or inventory. Now when i want to get the list of the inventory which is based on user then i'm not sure that whether i should use RabbitMQ or Axios API Call.
I'm sharing 3 diagrams. Please help to get the some clarity.
Image 1:
Image 2:
Image 3:
I personally used image one in our project, because for contacting internally you don't need to pass requests through the gateway.
use the api gateway as an endpoint of your application.
I recommend using #golevelup/nestjs-rabbitmq npm package because it is easy to use.
if it is useful plz vote up :)
Related
I want to build a project where a user will be able to press on a button to authorize my platform to access their data (e.g shopify data). When my platform has access (to their shopify platform) it will send that data to my database.
My questions is:
In order for my rest api to access the data (from e.g shopify platform) i have to give the rest api the api key of the user which is simple if it a single account, but when i have multiple users using the same rest api how should i handle it? How can i give the rest api the access code so it can pull the data (from e.g their shopify platform) for each user? What is the name of the technology that needs to be considered here?
I am a built lost on the terminology of my question which has given me a bit of a headache when trying to google it.
First off, you create an App that Shopify approves, and then your merchant customers would install this App in their store. That approval process by both Shopify and the merchant means you are given permission to access their Shopify data.
Next, you create some value by allowing the merchant to see their data in ways unique to what it is you are doing. So far, your database contains nothing but the name of the store and the access token with permission to access the Shopify API.
How you then proceed in your own App is up to you. Not much else to it really, if you already know what your value add is. Code that part up and you're done!
Throughout my career, I've relied on and used various API services in my project. I saw multiple mechanisms of how these APIs are secured, but most common one seems to be via API Keys.
I am now planning to build out my own API service and being unfamiliar with security part of this I had few questions:
So far, what I gathered is to do the following: Create API key, store it's hash in db, only show api key to user 1 time, check for api key in requests and rate-limit based on it.
But above raises one concern, if someone was to inspect customer website they could easily get this api key (if customer is calling api directly from their front end) and abuse it, correct? This can be done in form of constantly hitting rate-limits or sending bad data to customers dashboard.
I feel like I am missing few key parts here and would appreciate if someone could outline best practices of how this is done nowadays in NodeJS. Thank you.
EDIT: Users of such service would be developers utalizing this API in their product
I began to develop an online store website with html, css and js, I use Firebase as backend. Then came up the payment part, I want to use Stripe for that, and it turns out that I have to use Node.js to manage that payment part. (or any other server technology)
I have to say that I'm very novice in back-end (and stripe) and the idea was to get rid of that part (the reason why I use Firebase) except that the payment part requires it.
My question is:
Is it enough to use Firebase only as a backend to manage the payment part with Stripe?
If no,
can I use node.js(express framework) just on the payment page and not extend it to all the other pages with those routing things? Or do I have to deploy it on the whole website?
Thanks.
There is a Firebase Extension that is built by Stripe and states:
Use this extension as a backend for your Stripe payments.
It makes use restricted API keys so you have granular control over what records can be created/read/updated by the extension.
I think that sounds easier that trying to work out an Express app for a single payment page.
In order to restrict actions to specific tokens I need to check if a request made to my api is made from an frontend or backend application.
I want to implement the same behavior like Stripe. Using a secret key on client side will result in an error.
So is there a safe way to check this?
The answer could be through the User Agent, but in fact there is no exact way to identify and differentiate whether a request came from a browser or from another API for example, as it is possible to manipulate the User Agent.
Well-behaved "bots" (like common search engine spiders) will identify themselves using a User Agent specific to them.
I am developing a crypto portfolio app with Ionic 5 at the moment and I came across following problem:
I created an API with express.js, which communicates with the APIs of coingecko and binance via the npm packages coingecko-api & node-binance-api.
One of the main functionalities of the app is to see recent trades and the profit of those, so you have to connect to your binance account. At the moment the API Code & Secret is stored directly in the api, but I want that the users enters these on the initial start of the app - but now the big question is: Where do I safely store the key and the secret? I do not want to take any risks.
Do I send them once to the API and store them in a database with a userid?
Do I send them to the api every time I want to reload the trades and only store them on the specific device?
Or is there a way I can check the permissions of the api details and if this api key is allowed to place orders and if not, the app accepts it otherwise not (that would be the best way, but i don't know how to check it)
Also I came up with the idea that the app communicates directly with the api of Binance, without my api as a 'middleman' but I don't think that's the way to go.
Thanks in advance for the help :)