All geek questions in one place

Angular2 API Key Protection

I’ve been searching the Internet for over a year now. I may not have the right keywords.

I have the following setup:

  • ExpressJS API (works with pm2 on port 3000)
  • Angular2 application - filed via nginx

Both run on the same server.

Calls to api (mydomain / api /) are proxied to 127.0.0.1:3000

For api calls requiring authorization, I will use JWT and user authentication.

What I want to achieve is that I generate a token for my angular2 application, which is allowed / required for public calls (e.g. product lists).

This token must be reliably transmitted, of course, since I do not want others to receive my products and prices using direct api calls (with a stolen token).

Any help was appreciated.

+5
source share
2 answers

First, as @eesdil said, you should use HTTPS. In this case, all your calls are encrypted and secure.

In my example (Angular 2, Express, and JWT), I used a cryptographic module with the pbkdf2 algorithm to hash passwords.

This is a workflow:

  • / login / signup → hash password and generate salt → save it to the server
  • / login → confirm password from saved → generate jwt → save it to localStorage on the client
  • / api → send jwt in Auth header → check on server → send response

Working example: https://github.com/vladotesanovic/angular2-express-starter

+1
source

Your token hopes to travel with https. And when this happens, they cannot get it ...

UPDATE

from wiki:

Because HTTPS contacts HTTP completely over TLS, the entire underlying HTTP protocol can be encrypted. This includes the request URL (which specific web page was requested), request parameters, headers,

https://en.wikipedia.org/wiki/HTTPS

0
source

Source: https://habr.com/ru/post/1242193/

More articles:


All Articles