REST API Security with cross platform apps (AWS Cloud/Services)

Question

I developed a cross platform application for web and mobile.

The web part is served from a node.js/express application and has a user authentication based on passport.js, using local signup, Facebook and Google auth. It is partly server side rendered using Jade, but even using Angular for dynamic content requested from the API.

The mobile client is developed with Ionic2/(Angular2) and authenticates users by calling the node.js server, with a passport JWT strategy.

Both clients, web and mobile are using a REST API set up with AWS API Gateaway and multiple Lambda microservices behind, using DynamoDB, Elaticsearch, etc.

Actually I am struggling with the API security. The endpoints which require user authentication/memberships can be handled by JWT token using the existing Auth strategies. But about 90% of the APIs are serving data where no authentication is required.

Those are open to the world right now, since I did not find a good strategy to protect them. My goal is to ensure that only users of the mobile and web app can access those endpoints.

How could I archieve that? It would be great if someone could give me a hint about the best approach.

Thank you!

Answer 1

Although you are saying authentication is not required for those services, it looks to me like you actually need authentication. Since you are asking for a proof of identity of a requester, even if that identity is a requirement as in "only users of the mobile and web app can access", you are talking about authentication. So you might simply want to use JWT for those endpoints too.

You may also want to authorize your users too as in deciding what a specific identity should be allowed to do. This way you could let all your authenticated users to access all your endpoints but only those that show a proof of membership (in the JWT) can access the protected endpoints.