2

I've been looking at node.js, REST APIs and WebSockets lately to further my knowledge about backend and frontend web development. Trying to go with best practices I see REST API comes up all the time. Now my problem which I don't seem to understand how to properly solve.

Say for example I'd like to have client / server decoupled and for this I implement a REST API in the backend so that my frontend will access and get data to render. Specific (imaginary) example: lets say I want to build a rental service website. Now I would like to have an endpoint for my frontend to access information about certain products, let's say the number of bikes that have been rented so far. I'd like to be able to show this on my frontend (through the help of the REST API) but I wouldn't like for other people who call this REST API to be able to get the data (because espionage is a serious business and I'd like to keep the evil ones away, yes they can webcrawl but bla bla). So in essence I'd like for the localhost machine to be able to access (part of) the REST API but not anyone else. Things get complicated because I'd also like people to be able to create a user on my website so then I'd like to have other endpoints which can then be accessed without restriction because I'm thinking, what if at some point I'd like to have a mobile app that is integrated with the service. Then it will be unfeasible to restrict all requests to localhost.

How would you architect a secure server / client as this one? Or in your opinion is it not that big of a deal to have the REST API exposed to others (the evil ones)?

The above goes for WebSockets as well. I know REST APIs are all nice and neat but I think the future lies in near-realtime connections and so I'm likewise as interested in WebSockets (through higher level modules of course, Socket.io, SockJS etc.).

Improve this question
2
  • Is your client-side all public or restricted by a login mechanism? Commented Dec 6, 2015 at 10:51
  • The client side would be partly public (think of a web-store type of website) and partly with restricted pages through authentication. But the question isn't really about this. Maybe I wasn't clear enough, please see my other comment Commented Dec 6, 2015 at 14:44

1 Answer 1

Reset to default
1

There are many solutions to secure your API out there and many of them are opensource. Which one you'll use really depends your detailed needs.

But to get you started I will mention a solution that is very accepted and supported by a large community:

Have a look at JSON Web Token, which are for example explained in this Article.

Basically your client requests an authentication token from the server and then stores it locally to reuse it for every request to your API. The Server on the other hand may protect your API as needed. That means you may also have a public API that does not expect a token in the HTTP Header.

Tokens may also expire. That is handy if you, for example, will allow a new user for registering on your site for a limited time.

Here is another article that explains things.

Now on to the websocket part of your question. YES, you definetly want to protect your server side sockets as well. So look out for a library that supports authentication. Again, I think there are a number of opensource libraries out there.

To mention one: Primus. Primus is an abstraction layer for many socket libraries underneath and lets you quickly change the socket provider. But it also has an authentication hook that you can implement.

And guess what.. you can use it to check for a JSON Web Token!

Hope this gets you started.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the resource, it's really useful for implementing the user login process, but this is only a partial answer. I've already read about JWT and it's definitely the way to go forward, but what I'm asking is: how can one architect a server with some REST API endpoints restricted to calls from the localhost machine only (the server) and have the other part of the REST API available for registered users. Your answer tackles the second half (which has already been documented quite some bit). I'm looking to have part of the API accessible only internally by localhost. Is that possible?
Or maybe I'm not formulating it correctly. So my static files would be the client which is viewed by visitors, right? So when I want to load a page with some info from database I'd use REST API endpoints. But is there a way to have these endpoints accessible only by my frontend? That is, if anyone else tries to curl these endpoints they'd get a 404 or 401 or something... don't know if this is possible though. Can't think of a way to restrict these calls.
Consider, the scenario where super admin creates a admin. Lets say the admin logged in and the super admin deleted this user from the database. As he is logged, he has a valid token which can make requests. How can you tackle this scenario where you wanna authenticate whether the user exists or not?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.