From da93f68fb8718f3d024362f685765c49670784f4 Mon Sep 17 00:00:00 2001 From: Levi Olson Date: Mon, 4 Jan 2016 11:44:04 -0600 Subject: [PATCH] Create README --- README.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..59db91a --- /dev/null +++ b/README.md @@ -0,0 +1,45 @@ +# Guardian API Proxy # + +A single proxy server to authenticate requests to multiple internal APIs. Experimenting with using Node.js as a single point of entry to access internal APIs. The idea being you have _a single_ entry point so APIs can remain inaccessible to the outside world and you only have to edit a single point when making security enhancements. Individual APIs are secured by having to pass a `client_id`, `username`, and `password` along with the request. This is validated early in the request. + +Added benefits include: + +* A single database change to the `client_id` and you have re-secured access, if for some reason a malicious intent is discovered. At that point, the method of entry can be addressed, and new `client_id`s can be distributed (typically in the form of an app update). +* In the use-case of mobile apps, changing the `client_id` can also be detected, and this can be the basis for forcing an app update (i.e. trigger a popup to download new version from app store). +* Logging API traffic is now made *super simple* and analytics become a natural/inherent part of this service. +* And a lot more... + +An example of how this is intended to work is as follows: + +* Let's say we have an API that returns a list of books when we navigate to http://example.com/api/books. +* We associate a `client_id` of `bookapiv01` to the base url above in a database (in real world use, this should be a completely random generated string so as not to be guessable). +* Our "guardian" service is setup at https://guardian.serverexample.com/. +* We send a post request to our new guardian server (including the uri string) which includes the following: + * `https://guardian.serverexample.com/api/books` is the url + * `client_id = booksapiv01` + * `username = allowedusername` + * `password = reallysecurepw` + * `_method = GET` (optional) + * `params = {"author":"bill"}` (optional) +* The resulting response is the list of books as if we queried the API directly. Only we successfully authenticated the request and have all the benefits mentioned above. + +* Version 0.0.1 (the alpha's alpha) + +### Installation ### + +* `git clone git@github.com:leothelocust/guardian-api-proxy.git` +* `npm install` +* `node` or `nodemon app.js` +* Voila! It workie. + +### Contribution guidelines ### + +* Write tests +* Then code +* Code review +* 4 spaces (no tabs) +* Submit pull request + +### Contact ### + +* Levi Olson on Github