Welcome again! If you reached this post from nowhere and don’t understand what all this is about, you can check out the previous posts:
- 1. Intro and Initial Setup
- 2. Setting up the Web Server
- 3. The Database: Setup
- 4. The Database: Connect and Config
- 5. The Endpoints
You can find the code for this tutorial in GitHub.
If you followed the steps from the previous posts your project directory structure should look like this:
├── config │ ├── env │ │ ├── development.js │ │ └── index.js │ └── express.js ├── gulpfile.babel.js ├── index.js ├── package.json └── server ├── controllers │ ├── tasks.js │ └── users.js ├── models │ ├── task.js │ └── user.js └── routes ├── index.js ├── tasks.js └── users.js
If it doesn’t, please go back and check if you missed something from the previous posts.
RESTful API Security
It’s time to take care of a key point on our RESTful API: the security. We have our endpoints to manage users and tasks, but right now any client that knows where our API is running can access the endpoints. This is not safe, in the real world you’d want to control who has access to your API and you need to check with every request that it’s coming from a trusted source.
There are at least two security aspects you want to take care of when building an API: authentication and authorization. There’s always someone who doesn’t know the difference between these two, so here a one sentence explanation for both:
- Authentication: the action of identifying a user in your platform
- Authorization: the action of checking if whether or not the already authenticated user has access to a specific resource
So you can basically see it as a pipeline: request -> authenticate -> authorize -> response. First you check that the request is coming from a trusted source, and after that you check that the trusted source has access to the resource it’s trying to get from your system.
In our API authentication will be provided by a user/password sign in endpoint which will return back a JWT (JSON Web Token) — more about this later on — that can be used to authenticate subsequent requests. The authorization will be simply handled by our controllers to do some basic checks like not allowing a user to see or change the tasks of other users.
For the purpose of this project we’ll only take care of authentication which is the most complex. Authorization won’t be covered here but I’ll just say that it can be achieved easily with database checks in the simplest implementations and user roles management in more complex systems.