Reputation: 399
Best practice - Calling APIs & Services in Single page applications
I have a single page applications that needs to call a variety of web services and/or APIs. I would like to understand what is a generally agreed approach to making api or service calls from SPA. We currently have two approaches
For certain 3rd party APIs- we make direct calls from the single page application without a server side proxy. In order for this to work we have CORS enabled.
For other API calls - we make calls to a proxy (wrapper) which is responsible for redirecting them to the appropriate endpoints.
The way we decide which approach to use is - if there is some kind of data manipulation thats needed before calling the 3rd party api - we use the proxy - else we make direct calls from the SPA. Is this a valid approach. Would you have any feedback on if the 1st approach is robust from a security point of view? In the 1st approach we have a http-only cookie that is being used as an access token to make calls to the 3rd party api. Does this make the API we are exposing vulnerable?
thanks in advance
Upvotes: 1
Views: 1455
Answers (1)
Reputation: 4972
I highly recommend that you proxify all your API calls.
Calling a 3rd party API is ok for some use cases, but not if you start having to deal with a lot of them.
Here are my key points:
- Interfacing APIs permits to concentrate the listing, organization and updates of the 3rd party APIs. It also makes easier to build your own tracking, stats and monitoring.
- You can reroute any API if it is down, and provide adequate error handling so that you avoid frustrating timeouts / ugly error messages for your customers due to that 3rd party API being down
- You isolate and secure your customers from outside service: yes if the 3rd party API is exploited by a malicious user (eg: returns 'bad' pictures', redirects the navigation...), you can filter it.
- It is easy to change ONE hostname for your API proxy, it is harder to change 20. If you want to migrate your application into closed environments (private networks) the API proxy will come as a real helper when it comes to all the issues with DNS, proxies, gateways, etc.
- You can offer your own standardized API which interfaces all the others: this will be an accelerator for developments. Take a look at GraphQL if that could help you perform both multi-API calls and result sizes optimizations.
Upvotes: 5
Related Questions
- API calls in Microservices Architecture
- Microservice good practice .NET
- What is the best way of splitting application logic into microservices
- Should frontend or backend call microservices?
- Microservice calling multiple functions vs custom client specific function
- Best Practices for SPA calling multiple APIs?
- How to manage common frontend components on microservices
- Microservices using Asp.Net
- Does my concept follow a Microservice architecture?
- Single Page application n-tier architecture using ASP.NET Web API and Angular