1

I'm trying to build my first API to be consumed by a mobile application built with Ionic.

Before starting I'm looking into the architecture and I can not understand exactly how to make secure my API routes.

Let's say I have an endpoint like http://myapi/v1/get-items and my application doesn't need an user to be authenticated to view those items in the mobile app.

How should I protect that route from external queries, using Postman for example?

I wish that route to be not accessible unless is not requested by the application.

Looking on Google I can find many solution using basic authentication but all of those require an user to log in... What if my app doesn't have users to log in?

I'm a bit confused but I think there is a solution and I don't know it yet...

I hope you can help me to understand it.

EDIT:

My Question is totally different from the following: How to implement a secure REST API with node.js

I'm looking for solution that DO NOT require a User Authentication.

Community
  • 1
  • 1
Ayeye Brazo
  • 3,316
  • 7
  • 34
  • 67
  • 1
    find answer here, http://stackoverflow.com/questions/15496915/how-to-implement-a-secure-rest-api-with-node-js – codeGig Mar 11 '16 at 17:24
  • @Jitendra Thanks, but it is talking about user authentication... I'm looking for the solution without a user authentication... :/ – Ayeye Brazo Mar 11 '16 at 17:28
  • What about [Helmet](https://www.npmjs.com/package/helmet)? I'm still googleling, I don't know this package, but probably it can solve the issue? – Ayeye Brazo Mar 11 '16 at 17:46
  • @AyeyeBrazo Helmet is for totally different purpose. If your mobile app has closed source then just create some encryption for requests within one. Key would be safe in the app as preimplemented inside one and server would know how to decrypt requests. – Nonemoticoner Mar 12 '16 at 16:23

2 Answers2

0

If you don't want to use User Auth through something like Passport then you can institute a whitelist in your Node API instead. express-ipfilter is an express middleware module that allows you to filter requests based on the request IP.

peteb
  • 18,552
  • 9
  • 50
  • 62
0

Requiring a login would be the cleanest and safest way to make sure your api remains private. However, if you want to keep external users out of your services without requiring a login, you will need to "sign" your requests. By that I mean doing something like encrypting a current timestamp on the client using a key known to both the server and the client app, adding that encrypted string as a header, receiving that header in your server, decrypting it and checking that it's not too old of a timestamp before you return a response.

It's not really safe (if someone can see the code they can see the encryption key) but it's an obstacle and it down't require logging in. See this for an example on encryption/decryption

ruedamanuel
  • 1,930
  • 1
  • 22
  • 23