Solution for Chapter 10: Securing APIs

The exercise for this chapter (Chapter 10, Securing APIs) focuses on using Auth0 to define your API security, collect the access control parameters, modify your API source code, and then test the results.

Define Your API in Auth0

The exercise instructions included the name of the new API security definition (bigco-credit-check). To create this definition, you need to log in to the http://auth0/com website and navigate to the dashboard page. There you can select the APIs option in the left navigation pane and, when the list of APIs appears, click the Create API button that appears in the upper-right corner of the screen. This brings up the New API dialog, where you can enter “bigco-credit-check” into the Name field. You also need to enter your API identifier (for example, http://api.mamund.com/bigco-credit-check). Once both values are supplied, click the Create button at the bottom of the dialog. That completes the definition and takes you to the new landing page for that API.

Collect Your API’s Access Control Parameters

The next step is to collect the five important access control parameters (Name, Identifier, ClientID, ClientSecret, and Domain) for your API. The Name and Identifier values are on the Settings tab of the API’s landing page. The other three values (ClientID, ClientSecret, and Domain) are on the API’s application page. You can find this page by clicking the Applications option in the left navigation pane of the dashboard and then selecting the bigco-credit-check application from that list. When you select it, you’ll be taken to the landing page where the ClientID, ClientSecret, and Domain are displayed.

You need to collect all five values and write them into the proper spots in the auth0.env file in your project’s /security/ folder. That file looks something like this:

 ###################################################
 # auth0-util environment vars
 ###################################################
 
 name="credit-check"
 
 id="<CLIENT-ID>"
 secret="<CLIENT-SECRET>"
 
 url="https://<DOMAIN>/oauth/token"
 
 jwksuri="https://<DOMAIN>/.well-known/jwks.json"
 audience="<IDENTIFIER>"
 issuer="<DOMAIN>"
 
 ### EOF

ENV or TXT?

images/aside-icons/warning.png

Note that in the code folder for this project, all the files that end in .env are actually saved to the project as .txt files. That’s because the ENV files are automatically ignored when checking the project into source control. This is a safety feature to make it hard for you to accidentally check your API’s secret keys into source control, where others could see them. Be sure to copy the auth0.txt file to auth0.env on your local machine when you’re completing this project.

 

With the values copied to your auth0.env file, you can run the ./auth0-token.sh script to retrieve a fresh access token from Auth0. It will be written to the auth0-token.env file. You can open that file and copy the access_token value into your curl-auth.env file. You can also copy-paste that token into the http://jwt.io website to validate the contents of that token.

Update the credit-check-secure NodeJS Project

Now you are ready to update your NodeJS API project. First, be sure to add all the security-related code modules to your project using npm. To do that you can move to the project folder on disk and type the following into the command line:

 mca@mamund-ws:~/company-secure$ npm install -s jwks-rsa jsonwebtoken
  express-jwt express-jwt-authz

Next, open up the index.js file in the credit-check-secure project folder and update that file to reference the api-auth.js code file from the /DARRT/lib folder and add the security middleware into the NodeJS Express pipeline by adding the following lines to your index.js file:

 //***********************************************
 // start of auth support
 var​ secure = require(​'./darrt/lib/api-auth.js'​);
 app.use(secure.jwtCheck);
 // end of auth support
 //***********************************************

Finally, open the /DARRT/lib/api-auth.js file and update the auth object values to match the access control parameters you pulled from the Auth0 website in the previous step.

Your code should look like this:

 // auth variables
 var​ auth = {};
 auth.cache = ​true​;
 auth.rateLimit = ​true​;
 auth.requestsPerMinute = 5;
 auth.jwksUri = ​'<DOMAIN>/.well-known/jwks.json'​;
 auth.audience = ​'<IDENTIFIER>'​;
 auth.issuer = ​'<DOMAIN>'​;
 auth.algorithms = [​'RS256'​];

Be sure to copy your API definition’s access control parameters where indicated in the code snippet above.

Finally, save all your changes to the project and check them into the Git repository.

Test Your API Security

Now you can try accessing your API to validate your security changes. First, try using a simple curl http://localhost:8181/ call (without a security token) to confirm that your API call gets an HTTP 401 status code response. Your response should look like this:

 mca@mamund-ws:~/company-secure$ curl localhost:8181/
 {
  "type": "Error",
  "title": "UnauthorizedError",
  "detail": "No authorization token was found",
  "status": 401
 }
 mca@mamund-ws:~/company-secure$

Next, use the curl-auth.sh utility (with the access token from the previous step and other appropriate configuration settings) to make the same call. Your curl-auth.env file should look something like this (with your new JWT pasted in where indicated):

 ####################################
 # auth-test variables
 ####################################
 
 url="http://localhost:8181/"
 method=GET
 accept="application/json"
 
 token="<VALID-JWT-ACCESS-TOKEN>"

Now when you execute the command ./curl-auth.sh, you should get the root response as expected without any errors. It should look like the example shown here:

 mca@mamund-ws:~/security$ ./curl-auth.sh
 
 OAuth Request Utility
 ================================
 Sun Apr 26 14:54:57 EDT 2020
 
 ...: requesting GET http://localhost:8181/
 {
  "home" :
  [
  {
  "id" : "list"
  ,"name" : "credit-check"
  ,"rel" : "collection credit-check"
  ,"href" : "http://localhost:8181/list/"
  }
  ]
 }
 mca@mamund-ws:~/security$

Assuming you’ve made it this far, you now have designed, built, tested, and secured your NodeJS API! The next big thing is to release it into production. We’ll do that in the next solution.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.119.148