All geek questions in one place

How to make sure that only a specific domain can be requested from your REST api?

I have an application that has a REST api. I want the only requests that can be made in the REST api to be those that come from the application itself. How can i do this? I am using node.js + express server.

EDIT: The app is fully open source web application.

+6
source share
3 answers

Just indicate the title in your request, what it does, it only allows requests from a specific domain and instantly rejects any other domain.

response.set('Access-Control-Allow-Origin', 'domain.tld');

EDIT: IF you are really interested in using web clips, you can make the function of double checking the origin of the client.

 function checkOrigin (origin) { if (origin === "your.domain.tld") { return true; } else { return false; } } /* Handling it in response */ if (checkOrigin(response.headers.origin)) { // Let client get the thing from API } else { response.write("Send them error that they're not allowed to use the API"); response.end(); }

The following example should work for the default HTTP / HTTPS module, and should also work for Express, if I'm not mistaken.

EDIT 2: To return my expression that it should work for Express as well, I found this quote in my documentation;

Req (request) and res (response) are the same objects as Node, so you can call req.pipe (), req.on ('data', callback) and everything else that you are without Express.

+1
source

I would recommend using an API key from the client. CORS filters are too easy to get around.

0
source

A simple approach to providing How to implement a secure REST API with node.js

Overview at the top of the post:

Since users can create CREATE resources (like POST / PUT), you need to protect your api. You can use oauth, or you can create your own solution, but keep in mind that all solutions can be corrupted if the password is really easy to detect. The basic idea is to authenticate users using a username, password and token, e.g. apitoken. This apitoken can be generated using node-uuid and the password can be hashed using pbkdf2

Then you need to save the session somewhere. If you save it in memory in a regular object, if you kill the server and restart it again, the session will be destroyed. In addition, it does not scale. If you use haproxy to balance the load between machines or just use workers, this session state will be stored in one process, so if the same user is redirected to another process / machine, he will have to authenticate again. Therefore, you need to keep the session in a general place. This is usually done using redis.

When the user authenticates (username + password + apitoken), it generates another token for the session, also known as accesstoken. Again, with node-uuid. Send user accesstoken and user id. The user id (key) and accesstoken (value) are stored in redis with the elapsed time, for example. 1 hour

Now, every time the user performs an operation using the rest of the api, he will need to send the user ID and accesstoken.

0
source

Source: https://habr.com/ru/post/1013993/

More articles:


All Articles