leviolson
/
guardian-api-proxy
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
A single proxy server to authenticate requests to multiple internal APIs
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
30 KiB
 
Tree: 03bbf6b126
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '03bbf6b126'
${ noResults }
 ZIP  TAR.GZ
Levi Olson 03bbf6b126
Update README.md 		6 years ago
.env.json.example Initial Commit 9 years ago
.gitignore Initial Commit 9 years ago
LICENSE Initial commit 9 years ago
README.md Update README.md 6 years ago
app.js Updating package.json to reflect github location; improving database.js; and minor tweaks to app.js method variable 9 years ago
database.js Updating package.json to reflect github location; improving database.js; and minor tweaks to app.js method variable 9 years ago
package.json Updating package.json to reflect github location; improving database.js; and minor tweaks to app.js method variable 9 years ago

README.md

Guardian API Auth Proxy

A single proxy server to authenticate requests to multiple internal APIs. Experimenting with using Node.js as a single point of entry to access internal APIs. The idea being you have a single entry point so APIs can remain inaccessible to the outside world and you only have to edit a single point when making security enhancements. Individual APIs are secured by having to pass a client_id, username, and password along with the request. This is validated early in the request.

Added benefits include:

  • A single database change to the client_id and you have re-secured access, if for some reason a malicious intent is discovered. At that point, the method of entry can be addressed, and new client_ids can be distributed (typically in the form of an app update).
  • In the use-case of mobile apps, changing the client_id can also be detected, and this can be the basis for forcing an app update (i.e. trigger a popup to download new version from app store).
  • Logging API traffic is now made super simple and analytics become a natural/inherent part of this service.
  • And a lot more...

An example of how this is intended to work is as follows:

  • Let's say we have an API that returns a list of books when we navigate to http://example.com/api/books.

  • We associate a client_id of bookapiv01 to the base url above in a database (in real world use, this should be a completely random generated string so as not to be guessable).

  • Our "guardian" service is setup at https://guardian.serverexample.com/.

  • We send a post request to our new guardian server (including the uri string) which includes the following:

    • https://guardian.serverexample.com/api/books is the url
    • client_id = booksapiv01
    • username = allowedusername
    • password = reallysecurepw
    • _method = GET (optional)
    • params = {"author":"bill"} (optional)

  • The resulting response is the list of books as if we queried the API directly. Only we successfully authenticated the request and have all the benefits mentioned above.

  • Version 0.0.1 (the alpha's alpha)

Installation

  • git clone git@github.com:leothelocust/guardian-api-proxy.git
  • npm install
  • node or nodemon app.js
  • Voila! It workie.

Contribution guidelines

  • Write tests
  • Then code
  • Code review
  • 4 spaces (no tabs)
  • Submit pull request

Contact

  • Levi Olson on Github