Best practices for securing NodeJS API created with Swagger - node.js

I have created an API with NodeJS and Swagger that works well, but anybody can call it and I want to restrict it to the users that have a valid API Key. Are there any best practices that I need to use for securing the API? Just adding the api key in the request? Generating a token and adding it to the request header?

That makes oauth is born.
Look at https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

Related

How to use Next-auth credentials provider with eternal API

I worked with Next-auth before but I also used the built in next API feature. When used with next API, I can protect my APIs. The problem is now I am using an external node.js API. The token is created in the front end and this leaves my node API endpoints exposed. Is there something I'm missing here? How should I do this? Or tell me if there is a better way. Thanks a lot!
You should not generate any JWT tokens in the frontend as that is way to insecure. Better to work if a dedicated and separate authorization service that generates the token for you. Either you host one your self or use a third party solution like Auth0 to generate the tokens for you.
Today more and more moves towards using the BFF pattern to further secure their SPA applications.

RESTful API with Users and Authentication via Google OAuth2?

I'm kinda new to backend development and wanted to start by creating a small API with authentication and authorization that could function as an API for a blog for different frontend implementations.
I set up an API with ExpressJS and MongoDB and created a working API so I can post blog-posts, retreive all or single blog posts, etc.
Now I wanted to add Authentication and instead of using JWT or something, I thought, it could be cool to have my users sign in via their Google-Account to post/delete blog posts, etc. Does that even make sense? I hope it does because in my head it should not differ too much from using JWT for example.
I added passport.js and it's google-oauth2 strategy.
I'm already able to create users by signing in via google, but my problem lies in the way to authenticate correctly for login and subsequent API requests.
Would I use the access- and refresh-token that I receive back from google for that? At least thats what I first thought of.
But how would that work? And next up: What if I wanted to add another way to authenticate? For example JWT or maybe Facebook-OAuth? Wouldn't that cause some issues when trying to protect my API routes because I would have different ways of authenticating (and what kind of middleware would I use then for my routes?)
I hope I made my problem clear :)

Access cognito related operations in server-side

According to my use case,
I want expose a REST api(auth micro-service) that allows users to signup, sign in and do basic auth operations. So basically when a client calls /auth/login endpoint with username, password server code should authenticate user against Cognito and send response back to client with JWT(access token). Rest api written in Node.js.
I have gone through various docs but I am only seeing examples of using the frontend/mobile SDKs to accomplish this. Is there a better way to accomplish this? or can use existing javascript SDK in Node.js to achieve this?
Thanks!

protect my API from being used by others

I am writing a mobile app, and its corresponding RESTful API in NodeJS.
Is it possible to make my RESTful API only usable from my app?
I have done some research, and found posts like this. But it is kinda irrelevant to my needs.
I think the simplest thing will be to hardcode secret key in your application and send it with each request. Also use ssl to protect this key. The only way to get it then will be reverse engineering of your app.
You also you can use bearer tokens, something like OAuth and OAuth2.

Best practices to implement client-server authentication

I'm looking for an best practices to implement client-server authentication (local + social).
Right now I'm developing backend & frontend separately. Earlier I did auth by next flow:
Sign in -> receive token -> call api
I need find a way to add token into blacklist also.
Tech stack: node.js (sails)
front-end: angular
Also front-end app should be available to call api of multiple servers. That means front-end app should sign in only once at main server and be available to call another api's.
I'm opened for out-of-box solutions.
If you are using JSON Web Tokens (JWTs) as your token: you can put a unique, random value as the jti claim in the token. You store these jti values in your database and use them as your blacklist.
If you would like to read about JWT best practices for Single Page Apps with APIs, please see a blog post I've written on this topic: Token Based Authentication for Single Page Apps
Regarding out-of-box solutions: I work at Stormapth and we have such a solution in our Stormpath Angular SDK.

Resources