How do I handle a third party API callback in NodeJS? - node.js

Question
A NodeJS server is called by a client. This causes a further call to be made to a 3rd party API. The API then asynchronously calls-back to the NodeJS server. How do I make the client aware that the asynchronous callback has completed?
Details
I have an NodeJS server with these two routes (code is coffeescript):
app.get '/security/login/application/authorise', ->
applicationService.authorise()
app.get '/security/login/application/callback', (req, res) ->
applicationService.login req, res
The first route is called by my AngularJS client. Its purpose is to authorise the client and allow it to start-up (users will sign in later). The authorisation process involves making a call to a third party security API.
The security API does its thing and then calls-back to the NodeJS server via the /callback route shown above. The information passed to the callback allows a further call to be made to the API that determines if the original authorisation request will pass or failed.
The problem is that call to the first call to the /authorise route is, of course, asynchronous and so returns to the client right away. The client is then left in limbo, not sure if the NodeJS server has authorised it or not.
Please note that I cannot just nest these calls (imo) because the first call to the API simply returns 200 OK regardless. The process only continues when, sometime in the future, the third party API starts a new conversation by calling back into the NodeJS server via the /callback route.
Options
It seems I have a number of unpalatable options:
Stay Asynchronous. Return control to the client and then have the client poll the server, presumably with some unique, temporary 'callback-id', to determine if the callback has been completed.
Go Synchronous. Block the return with a hacky loop of some sort. Maybe promises can clean this up a bit somehow.
Go Bidirectional. Use sockets to allow a push notification from the server (but what about old browsers like IE8, which I have to support).
I think I have probably over-cooked this problem and the solution is most likely easier than I imagine. Your help would be gratefully received.

Related

How to process Callback from API POST NodeJS

I am using this API Function
https://developers.cryptoapis.io/technical-documentation/wallet-as-a-service/transactions/create-coins-transaction-from-address-for-whole-amount
And a NodeJS back end with an Angular Front end.
I cannot figure out how the Callback in that functions POST works, It requires a domain setup and then for a JS function to take the post in but I cannot figure out how to do that.
Could someone please advise how to work with an API callback function like that
it looks like you would need a route on your NodeJS server that this service ( cryptoAPI ) could call - so like (needs to be HTTPS) https://yourDomainTheApiIsHostedOn.com/callBack
The documentation does say it will only fire when the create coins function is called. The call back URL also will have some info so you can verify the HTTP traffic is really from them
The callbackSecretKey can only be generated by the customer. It is used to create a unique hash string in the x-signature response header in the callback request sent from Crypto APIs 2.0 when the event occurs.
The domain verification is basically a process for cryptoAPI to ensure that you own that domain which is hosting your API
Documentation is here:
https://developers.cryptoapis.io/technical-documentation/general-information/callbacks#callback-security

Implementing "side effects" in Express routes?

I'm looking for some advice on how to achieve something the "proper" way in Express.
When routes on my API are hit, I need to send a bunch of "side-effect" data to all clients via a websocket. All the websocket stuff is done and working, my question is mostly conceptual. So, for example, a POST is made to /message, after the route controller has handled the request and sent a response, I need to send some updated data regarding other data models via websocket to all clients.
I could, of course, just send the WS message from the route controller, but that feels haphazard and unstructured. I'm sure there must be a "proper" way to do it! I did wonder about creating a middleware that runs after the route controller that either examines the request and sends the appropriate updates, or takes something passed from the route controller and uses that to determine what to send. Does anyone have any suggestions?
Thanks!

HTTP Calls integration pattern- Making HTTP calls directly from Javascript vs Axios vs Node, which is more secure?

A novice javascript developer here!
A have a basic question on whats the best and secured way to make HTTP calls from a front application to a backend service that needs an authentication. My application is a SPA (using Vue.js) & getting data from Java services. Java services need authentication details and return sensitive user data.
I see there are a few options and I wanted to understand a better approach amongst all 3-
Making direct HTTP calls from javascript code- Concern for using this approach is, as Javascript code can also be viewed via dev tools in browser, wont it be easier for anyone to do an inspect and view all critical authentication details hence making overall integration less secure?
Making an HTTP call using Axios via Vue framework- Seems like Axios is Promise based HTTP client for the browser that lets you easily make HTTP calls without much code overhead. but is this secure? is Javascript code loaded in the browser? Or the front end code sends the request and axios makes the request from backend server where the application is hosted?
Using Node- If front end application has unique routes configured for each API call and in my application if I have a route mapping to use request module and node js backend code to make those HTTP calls, is that going to be a robust and secure way of integration?
Please let me know your thoughts and apologies if this is a dumb question!
Not dumb at all. You're just learning.
My first question to your answer 😅 will be: is your application server-side rendered or it's sap + backend?
If it's server-side rendered then I would say it's secured since Node will be sending pages with all required data. On the dev tool, you will only see static files being loaded.
However, if it's SAP, I am not sure whether there is a way to hide whatsoever you send to the server from the dev tool. The only one thing you will need to do is to make sure you encrypt whatever is sensitive to your application.

OPTIONS Preflight request executes POST's code - is that standard?

If I understand correctly, a preflight OPTIONS request is sent as a way of asking "what's allowed here?". Then, once the response comes, if allowed, the calling site sends the POST request (or GET but in my case it's a post). I have figured out that, at least with Azure Function Apps, the OPTIONS request is executing the code that I expected only the POST to execute. I believe this to be the case because once I added some null checking (since the OPTIONS request doesn't have a payload in the body) everything worked fine.
I'm wondering if this is standard.
Seems to me that if I had written the API without using Azure Function Apps, I'd have the OPTIONS request sent down a path that would set the appropriate headers and return a 200 response. And the POST request would be sent down a different path that would expect a payload in the body. If that's how it usually works then that means I've just found an idiosyncrasy of the Azure functionality. But if not it means that I have something to learn about the OPTIONS preflight request.
Thanks in advance for your advice.
Denise
As sideshowbarker mentioned, the OPTIONS request is sent automatically by the browser to check if the cross-origin request can be made.
In case of Azure Functions, this will handled by the Azure when running in the cloud.
If your function is being triggered, that would mean that you have "options" as a supported method for your HTTP Trigger
In the HTTPTrigger attribute for C# functions
In functions.json for non-C# functions
If you want to customize the CORS responses and/or running functions in a container, you could always include "options" as supported and respond differently when the incoming HTTP method is OPTIONS.
Also, if you are using Azure API Management with Azure Functions, you could offload CORS handling to it instead or even use Functions Proxies as shown here.
Thanks y'all! Sorry I was unclear. And sorry it took me a while to get back. Things have been a bit crazy on this end.
Yes, the function being called is mine. And now I understand the browser doesn't have much choice as to whether or not it makes the OPTIONS call.
And yes, I could make my Azure function handle an options call differently and thanks for that suggestion too. That's sort of what I ended up doing but basically I did it by handling an empty payload. I didn't follow that best practice originally because I thought any valid request would have a payload. Accordingly, any request that did not have a payload was invalid and should be turned away as a failure of some sort. This was before I knew that the OPTIONS call was actually executing that function.
My remaining question is if I had NOT been using Azure... if I had rolled my own solution and hosted it somewhere, I'd have a class or at least methods that handle calls to this particular API. (This is something I'm new to so bear with me if my terms aren't quite right and please do correct me). So if I'd done my own API, I'd have one method to handle a POST call and a different method to handle an OPTIONS call, wouldn't I? And the method that handles the OPTIONS call would return information about what's legally do-able with this API. And the method that handles a POST call would handle the payload sent with it. And the method that handles the POST wouldn't get executed when an OPTIONS request is sent. At least that's how I figured it would work. And that's my question -- is that how it's done when not letting something like Azure handle some of the infrastructure?
I'm just trying to learn if the OPTIONS request executing a POST's function is a standard practice or if it's some kind of idiosyncrasy to working with Azure functions.
Thanks again for the advice and for helping me understand these questions.

How to create a stream of response from an API request in Node.js?

I have been using the asynchronous abilities of Node.js from quite some time now. But I am stuck on an interesting problem. Basically I have 2 API's that I need to call one after the other. Due to the asynchronous nature of Node.js I cannot retrieve the response of the first API request till it has finished and the respective callback function is called.
What I want to do is that I want to pass the response from the first API as request payload to the second API on the fly and not wait till the first API gets fully completed.
As a possible alternative, should I switch from building rest API to stream APIs?
Any pointers on how to do this?
Thanks
Yes, converting REST API'S to stream API is a better option. Node.js is known for its asynchronous behaviour. Because of the same all REST api's function in the same manner as you described earlier. As someone has previously pointed you could look at the Twitter Stream API for reference.
For more understanding you can check out this link - How to create a streaming API with NodeJS

Resources