Securely decouple backend and frontend (node.js server)

Question

I've been looking at node.js, REST APIs and WebSockets lately to further my knowledge about backend and frontend web development. Trying to go with best practices I see REST API comes up all the time. Now my problem which I don't seem to understand how to properly solve.

Say for example I'd like to have client / server decoupled and for this I implement a REST API in the backend so that my frontend will access and get data to render. Specific (imaginary) example: lets say I want to build a rental service website. Now I would like to have an endpoint for my frontend to access information about certain products, let's say the number of bikes that have been rented so far. I'd like to be able to show this on my frontend (through the help of the REST API) but I wouldn't like for other people who call this REST API to be able to get the data (because espionage is a serious business and I'd like to keep the evil ones away, yes they can webcrawl but bla bla). So in essence I'd like for the localhost machine to be able to access (part of) the REST API but not anyone else. Things get complicated because I'd also like people to be able to create a user on my website so then I'd like to have other endpoints which can then be accessed without restriction because I'm thinking, what if at some point I'd like to have a mobile app that is integrated with the service. Then it will be unfeasible to restrict all requests to localhost.

How would you architect a secure server / client as this one? Or in your opinion is it not that big of a deal to have the REST API exposed to others (the evil ones)?

The above goes for WebSockets as well. I know REST APIs are all nice and neat but I think the future lies in near-realtime connections and so I'm likewise as interested in WebSockets (through higher level modules of course, Socket.io, SockJS etc.).

Answer 1

There are many solutions to secure your API out there and many of them are opensource. Which one you'll use really depends your detailed needs.

But to get you started I will mention a solution that is very accepted and supported by a large community:

Have a look at JSON Web Token, which are for example explained in this Article.

Basically your client requests an authentication token from the server and then stores it locally to reuse it for every request to your API. The Server on the other hand may protect your API as needed. That means you may also have a public API that does not expect a token in the HTTP Header.

Tokens may also expire. That is handy if you, for example, will allow a new user for registering on your site for a limited time.

Here is another article that explains things.

Now on to the websocket part of your question. YES, you definetly want to protect your server side sockets as well. So look out for a library that supports authentication. Again, I think there are a number of opensource libraries out there.

To mention one: Primus. Primus is an abstraction layer for many socket libraries underneath and lets you quickly change the socket provider. But it also has an authentication hook that you can implement.

And guess what.. you can use it to check for a JSON Web Token!

Hope this gets you started.