How to request apikey from backend API using node js?

Question

I was learning to build a weather app using Node (Express) + React. I successfully fetched weather data from open weather API.

However I was directly using the open weather API key in my React app like this const weatherURL = 'http://api.openweathermap.org/data/2.5/weather?q=london,uk&APPID=1234567qwerty';. Obviously this is not safe as it exposed the API key to the client. I thought about storing the API key in .env file, but according to [this answer][1], I should never store API key in .env file or .gitignore. The right way is to make a request to backend API and make an API call to backend and send the data back. I could not find out how to do it. Can anyone help?

Following is my node js code:

const express = require('express');
const cors = require('cors');
const app = express();
const SELECT_ALL_QUERY = 'SELECT * FROM `mySchema`.`myTable`;';
app.use(cors());

app.get('/', (req, res) => {
    res.send('go to /myTable to see content')
});

const pool = require('./awsPool');

pool.getConnection((err, connection) => {
    if (err) {
        return console.log('ERROR! ', err);
    }
    if(!connection) {
        return console.log('No connection was found');
    }
    
    app.get('/myTable', (req, res) => {
        console.log(connection);
        connection.query(SELECT_ALL_QUERY, (err, results) => {
            if (err) {
                return res.send(err)
            }
            else {
                return res.json({
                    data: results
                })
            };
        });
    });
});

let port=process.env.PORT||4000;

app.listen(port, () => {
    console.log(`App running on port ${port} `);
});```


  [1]: https://stackoverflow.com/a/57103663/8720421

Answer 1

User Passport middleware for nodeJs/Express. They provide passport-headerapikey strategy using which you can create and authorize apiKeys. http://www.passportjs.org/packages/passport-headerapikey/

Answer 2

I found a solution based on @ippi answer, add the following part to the original code:

const request = require('request');
const url = 'http://api.openweathermap.org/data/2.5/weather?q=london,uk&APPID=1234567';
app.get('/weather', (req, res) => {
    request(url, (error, response, body) => {
        if (!error && response.statusCode == 200) {
            var info = JSON.parse(body)
            res.send(info);
        }
    })
})

The url can be stored in .env file and passed into the above code. The returned weather data can be viewed in JSON format at http://localhost:4000/weather. In React the weather data can be fetched via this localhost url.

EDIT: request is deprecated, so here is a solution using axios

app.get('/weather', (req, res) => {
    axios.get(url)
        .then(response => {res.json(response.data)})
        .catch(error => {
            console.log(error);
        });
})

Answer 3

The simplest pure http-request in node looks like this:

const http = require('http')
const url = 'http://api.openweathermap.org/data/'

http.request(url, callback).end()

function callback (weatherResponse) {
  let jsonString = ''
  weatherResponse.on('data', chunk => {
    jsonString += chunk
  })
  weatherResponse.on('end', () => {
    // Now you have the complete response and can do whatever you want with it
    // like return it to your user `res.send(jsonString)`
    console.log(jsonString)
  })
}

Many people find it bulky to having to handle chunks and the whole asynchronous thing, so there are many popular npm modules, like: https://www.npmjs.com/package/axios. (And here's a list of other contenders https://github.com/request/request/issues/3143).

Also, it is normal to store API-keys in environment variables on the backend. It makes things easy if you ever try to dockerize your app, or just scale up to using two backend servers instead of one.

Answer 4

What the linked answer was suggesting is to create a route in your Node/Express backend API that will make the call to the weather API for you, instead of the front end. This way the request and your API key are not public-facing whenever your front end makes a call.

The method for doing this would essentially be the same as what you have done in React, making an HTTP request using a built-in or 3rd party library. This resource I just found has some information on how to do both.