Security for our Web APIs¶
In this chapter, I will show you various methods to secure your RESTful Web APIs. You should use at least one or combine those methods for a more secure API application.
And if you want to use services like mLab , compose …, they have already implemented a secured system on their end. All that you need to do is to follow their instructions to hook the database to your app.
Method 1: The first and foremost is that you should always use HTTPS over HTTP¶
For local testing, I will use OpenSSL on Windows to generate the key and certificate for HTTPS configuration. The process is similar on Mac or Linux.
After installing OpenSSL, I will open OpenSSL and start generating key and cert files.
OpenSSL> req -newkey rsa:2048 -nodes -keyout keytemp.pem -x509 -days 365 -out cert.pem
OpenSSL> rsa -in keytemp.pem -out key.pem
After that, we will move key.pem and cert.pem files to our project. They will be in the config folder.
Then we will edit the server.ts file to enable https.
// server.ts
import app from './app';
import * as https from 'https';
import * as fs from 'fs';
const PORT = 3000;
const httpsOptions = {
key: fs.readFileSync('./config/key.pem'),
cert: fs.readFileSync('./config/cert.pem')
}
https.createServer(httpsOptions, app).listen(PORT, () => {
console.log('Express server listening on port ' + PORT);
})
For testing the server, we will run
ts-node .\lib\server.ts
From now on, our application will always run over HTTPS.
Method 2: Using secret key for authentication¶
This method uses a unique key to pass in the URL, so you can access the database. You can use crypto to create a key from your command line.
node -e "console.log(require('crypto').randomBytes(20).toString('hex'))"
Now, we will use middleware to check for the key before responding to a request. For example, if you want to get all contacts, you need to pass a key.
// GET request
https://127.0.0.1:3000?key=78942ef2c1c98bf10fca09c808d718fa3734703e
We will edit the /lib/routes/crmRouters.ts before sending the request.
Important
Remember that, in production, you should pass the key in the environment, not directly like in the example.
// lib/routes/crmRouters.ts
// get all contacts
app.route('/contact')
.get((req: Request, res: Response, next: NextFunction) => {
// middleware
if(req.query.key !== '78942ef2c1c98bf10fca09c808d718fa3734703e'){
res.status(401).send('You shall not pass!');
} else {
next();
}
}, this.contactController.getContacts)
Method 3: Secure your MongoDB¶
It’s sad that by default, there is no security for MongoDB like at all. If you want to check your current configuration. Go to your mongo installation directory and type mongo.
As you can see, there is no Access control for the database and anyone can do anything with the database. So we will enable authentication feature for MongoDB.
First, we need to create an account in order to authenticate with Mongodb.
After that, we will stop and restart MongoDB with authentication. Remember to check your dbpath.
// Stop MongoDB (Windows)
net stop MongoDB
// Start mongodb with authentication
mongod --auth --port 27017 --dbpath C:\your-data\path
Now, if we login to the mongo shell, there is no warning about access control.
Or you can connect to the mongo shell with username and password you just created.
mongo --port 27017 -u dalenguyen -p 123123 --authenticationDatabase CRMdb
Now, if we try to access the database even with the key, we are not able to.
That’s why we need to edit the mongodb URL in order for the app to work. Again, you should put the mongodb URI to the environment.
// lib/app.ts
class App {
...
public mongoUrl: string = 'mongodb://dalenguyen:123123@localhost:27017/CRMdb';
Then you restart RESTful API, everything will starts working fine again, but now you have a more secure and control API application. There are more security methods that we can implement to improve our application. I will try to update all of them in other posts.
After this, now we have a fully secure and working RESTful Web APIs application with TypeScript and Nodejs. If you want to check all the code, please visit my github repository for the full code.