CODEWITHSUNDEEP
node.jsmongodbexpress
Nexon Isdumb
Nexon Isdumb

Reputation: 57

Roles and locking down endpoints in node

I am trying to build a REST api for my game. Since I am new to this, I have having a difficult time trying to figure out how I can "lock down" endpoints. In the sense that, I don't want just anyone making a post request to my game scores endpoint and updating it. What would be the best solution to prevent this?

Upvotes: 1

Views: 840

Answers (1)

nbermudezs
nbermudezs

Reputation: 2844

What you need is an authorization process, a common implementation is an ACL (Access Control List) where each request you make must include a token, that token is associated with a set of roles and each role has several permissions. On each request you check that token's permissions against the requests endpoint and see if the requester is allowed to execute the action.

There are packages to easy that implementation like acl.

If you don't want to spend much time doing that yourself I recommend taking a look at Loopback.

EDIT:

In your frontend application you could have something like:

app.all(['/api/*', '/fe/*'], function(req, res) {
    req.pipe(request({
        headers: { 'Authorization': process.env.AUTH_TOKEN },
        url: process.env.PROXY + req.url,
        method: req.method,
        body: req.body,
        rejectUnauthorized: false,
        withCredentials: true
    }))
    .on('error', function(e) {
        res.status(500).send(e);
    })
    .pipe(res);
});

What that code does is that it takes any request that starts with /api/ or /fe/ to your frontend and pipes them to your backend server (process.env.PROXY).

The key piece is the process.env.AUTH_TOKEN, you could use a random and big hash here. Then on each protected request your backend checks if the header matches the AUTH_TOKEN you selected.

The advantage of this is that the end user never seems that token, as a matter of fact the end user will only see requests that go to your frotend server.

Upvotes: 2

Related Questions