There's an external REST api that I'd like to use, but they don't offer a websocket api so I was thinking of making one myself using their REST api.
What I was thinking of doing is creating a websocket server, then making a GET request to the REST api every minute or so within that server, and then send the response to my frontend using websockets.
Is there any reason this wouldn't work, or is there a better way of accomplishing this?
Related
I've developed simple REST API using a expressJs. I'm using React as my client side application. So the problem is anyone can see my API endpoints because of react app is in client side. So they will also able to make request and fetch data from my REST API. (May be they will build their own client side apps using my API.) I've seen some question about this and couldn't find any comprehensive answer. How these kind of a security problem should be handled? Is it possible to give the access for API to only my client app? If not how huge brands that using REST API prevent that? (Also I don't have a user authenticating scenario in my product as well. People can just visit and use the website. They don't need to register).
Authentication can be a way but it can be bypassed. Another way is you can create a proxy server which strictly blocks cross origin requests, hence it blocks requests from other domains to make request to your API, and you can make your API call from that proxy server. In this way your API server endpoint will also be not compromised.
If, as you state in your comment, this is about users on your own website being allowed to use your site's API, while disallowing off-site use (e.g. other websites, wget/curl, etc) then you need to make sure to set up proper CORS rules (to disallowed cross-origin use of your API) as well as CSP rules (to prevent user-injected scripts from proxying your API), and you also make sure to only allow API calls from connections that have an active session (so even if you don't want user authentication: use a session managemer so you can tell if someone landed on your site and got a session cookie set before they started calling API endpoints).
Session management and CORS come with express itself (see https://expressjs.com/en/resources/middleware/session.html and https://expressjs.com/en/resources/middleware/cors.html), for CSP, and lots of other security layers like HSTS, XSS filtering, etc, you typically use helmet.
I want to request data from an external graphql API from my client. I have to make the request to my server first and from there proxy it to the external API. What would be the best way to do this, is there maybe a package that does this for you ?
My research has lead me to something called gateways , whats the difference between a gateway and a proxy?
When do i need which?
I am planning to develop a mobile app which will retrieve data from a node.js REST API but also needs an integrated realtime chat with groups up to 12 people. How should I develop the backend in this case? Build everything with Websockets, including simple data communication or using both a REST API and Websockets?
I already developed an app with a REST API which later got a realtime chat with socket.io but using both feels wrong to me (especially when you use a PHP REST API and node.js for socket.io :D).
What would be the best practice in this case?
I'm building an externalized API for developers who want to develop their own app based on our API. Here is my question; the API provides the ability to let other developers make external requests to our server, but should we handle the same request in same route for local and external request for same function?
For example:
we have a login route in API /api/v1/login this route provides the ability to make login request to this API in other site but when our local site want to let user login should we use the same path /api/v1/login or we should make another route for local request /auth
Is there any security issue if using the same route for the external request?
The main security issue would be that there wouldn't actually be a difference between your external API and your "local" API. If both are using the same paths to do the same things, and are using the same backend functionality to do so, they aren't different. This isn't really a security problem so long as you are still properly controlling API access appropriately, i.e. through API keys, though your client would have to use those same access controls.
We are currently working on a nodejs application which hosts API's (includes both get and post HTTP methods). These server API's in nodejs server are individually accessible or allowed to be called. Like /api/login (login api) is allowed to be called directly from clients.
Next, I want to introduce a service broker API which should be entry point to all API calls from client side. So, any client calling a specific API such as /api/login should go through service broker and then service broker should re-direct to requested API based on the specific service details as sent by clients.
Thereby, all clients should only be able to call only one API (i.e. broker service API - /broker/service). So, all requests from clients should first hit service broker API and then service broker should redirect to appropriate API's based on the input parameters passed to service broker from clients. Input parameters could contain the API URL and input data.
Currently, I'm able to connect directly to individual API's from clients. But, now I would like to introduce a new layer namely service broker and that broker service should decide which API the request should be redirected along with input data (sent from clients).
Note: Both broker service API and other functionality specific API's are hosted under same domain. So, there will not be any CORS issue. We are using "express" node module for handling HTTP API requests.
My initial question is whether this requirement can be achieved?
If yes, then can we perform internal redirection of API's in node server?
Can this be achieved with express node module?
Please help me in this regard.
If you really wanted to go this route, you could do something like this:
app.get('*', function(req, res){
the_route_passed = req.originalUrl;
//handle all of the routes here in your api function call.
});
What this will do is for every single route passed from the front-end will go through your function, and then you can grab the route that was passed req.originalUrl will be like /api/users/230 for user 230. Then you'll need to parse the route or however you want to do it and pass it through to your service broker.
This would be the best way to deal with not having to change anything on the front-end if you are already using Routing. The other way which might be better in the long run:
Send JSON on each request and configure it however you want, and then when you receive it you can figure out all the routing from the JSON request on each go. You'd have to rewrite all routes on the front-end to do this though which might be too much work.