Implement API key solution for Sail.js - node.js

I want to make an option such that I can issue 3rd part developers access to my data and to do so, similar to the following: https://docs.sharedcount.com/, I want to create a system wherein those developers are provided an API key for which the consumption count can be monitored
Came through Waterlock but does not look like it has this feature: http://waterlock.ninja/
Curious, what would be the best approach to implement API keywords for a Sail.js app?

Sails makes this incredibly easy by use of policies. When a user signs up, assign them an API key, and then create a policy that checks the params for a valid API key -- i.e. req.param('APIKey') -- and deny access if one is not found.

Related

How could I secure this API?

I'm building a full-stack application with Next-JS. I'm building an API that works with Firebase. I was wondering if there is a way to make this API secure.
Let me elaborate. There is an option to your account called Premium. This variable is stored in the Firestore and will determine if you have purchased a Premium membership. This will determine whether or not you have access to certain features. I will use an API to change this variable.
I had the following in mind:
Have a button on the page to upgrade account.
Button pressed? Call to the API with the following params: email, upgrade to. This is because the same function can also be used to downgrade an account, for example when the user doesn't pay for the upgrade.
That API function changes the variable in the Firestore. It returns a status and a message.
I want to make option 2 more secure because otherwise, it would allow anyone to change the premium variable. That is obviously not what I want. Is there anything I can do about that? For example, a token system, the thing with that is that I have been thinking about that and I don't really know how to implement that and how it would work exactly.
For anyone wondering why I am using an API: I will also be creating an app, probably with react-native. The user will also be able to change their account status and interact with the API to do other stuff in that app.
Thanks for reading and responding! I hope this is at least a bit clear. If you have any questions, please comment them.
I do similar things in my app. I use Cloud Functions (which operate in a secure environment) to both save settings in Security-Rules -protected tables, as well as setting Custom Claims in the users Auth profile. All authorizations are then verified in the Cloud Functions before any changes are made - You may need to "seed" some values in a protected collection/document from the Console to get the process started.

Using Azure API Management service, is it possible to have 2 different Authentication approaches in place?

For example, Is it possible to have the native subscription based authentication and OAuth2 such that either one of these can be used for authenticating any given request?
At present, I have subscription based approach on the API frontend, but am interested in moving to OAuth. Id like to however keep clients who have been configured to use the subscription based approach unchanged if possible.
perhaps the answer is that , I must stick to 1 and only 1.
But feel this is worthwhile to ask since perhaps others may start with subscription based approach, and interested in moving towards an alternative.
Once solution I feel might be to create a seperate API front end for OAuth2, which points to same backend. That would satisfy the problem. However, Im hoping to keep the same api frontend. If that makes sense.
I don't think it's possible since if you won't pass the subscription key or pass an invalid one it will deny the request.
What you can do is use versions, so let's say v1 uses subscription key and v2 uses another authentication mechanism. So in summary, you'll duplicate all API's, but for v2 you won't assign a Product (won't require the subscription key).

WSO2 APIM How to limit user to execute only in sandbox

I want to publish my API, but I want to limit so users can only execute in sandbox environment (I want to limit production to specific user/customers with specific agreement).
This is a basic functionality in other API managers, but I don't find how to do in WSO2.
I have found this article in Medium, and also noticed that when I create an aplication, a couple of new roles are created (Application/user_application_SANDBOX and Application/user_application_PRODUCTION), but I don't find how to use them.
Deep dive in doc doesn't helped me.
Option 1:
You can use application registration workflow to control key generation for production and sandbox, by sending it through an approval process.
If you want to automate it based on a property or something, you can write a custom workflow extension.
However, this is applied to applications but not to APIs. That means if you allow generating prod keys for an application, all APIs, that the application has subscribed to, are accessible with prod keys.
Option2:
If you want to do this in API level, you can write a custom mediation sequence. Within the custom sequence, you can read the key type (i.e. production or sandbox), subscriber, enduser (if required) etc. and decide whether you want to allow the request or not.

algolia search security on the client side

I am using algolia search for a prototype and trying to figure out how to have security implemented (only users with account, can have ability to update/create and index)
Application has no back end and uses firebase and firestore only
I am planning to implement google authentication in it
Now the question is how to implement security for algolia without the back end
I have read in algolia documentation that API keys can be generated for users, but then how to make sure they don't leak and how to generate them automatically when users login for example
I have limited knowledge related to cryptography, API keys and handshakes so i do not have any clear view of how this should be done without back-end
Anyone came across similar issues and/or ways to tackle this?
Always use "Search-Only API Key" for the client side. And for security, you can generate new "Search-Only API Key" and kill the old keys ( you can automate this key generation using the Admin Key)
We recommend to use Search-Only API Keys for keys that are gonna be exposed on front end side.
However, if you need to provide user-specific keys to let your own users interact with your Algolia indices, you could probably benefit from our Secured API Keys that can be generated on-demand via the backend (not sure it could fit with your use case though). Here is the official documentation for this feature: https://www.algolia.com/doc/guides/security/api-keys/#secured-api-keys.

Include Google Maps API Key in open source project?

Is it okay to put your Google Maps API Key into your source code and publish it?
Others could take it and misuse it, but I don't want every developer / user to get their own API key and type it in somewhere. If the owner of the key is responsible, should I create a new google account for the project? (The project is a desktop application in Objective-C and a small developer tool.)
What would be the best way to make this convenient?
I don't think it's legal, but even it were, it's technically impossible, because the Google Maps API Key is tied to your domain name. Google will check the referrer of the HTTP request to validate the key.
The key isn't secret anyway: simply viewing the source of a website using Google Maps reveals the API key.

Resources