0

I want to refactor my Ruby on Rails application and split it into 2 parts.

Currently, it's a monolithic app that incorporates user registration/authentication, resource management, report sending by mail and rich UI. Usually, a page of the application is a container with widgets; every widget fetches data from the server using some internal API that feeds client with data in JSON format. These widgets are too many and their API is a significant part of the app. I want to extract that API into a separate application. The main application will continue to serve user requests at www.app.com address, and API will be available at api.app.com

Question: how to protect API app and prevent unauthorized access? The main app uses sessions (with cookies). Now, these sessions are being validated when a request to API is processed. Since it will be a new app living on another server, I'm not sure I could validate those sessions. So what's the option? Using JWT tokens or? Could you share examples from your experience please?

Ilya Konyukhov
  • 2,666
  • 1
  • 12
  • 21
  • There are many different ways to do this - which is why this question is off topic. The simpest solution is to use JWT's for authentication on the API app but there is also the option of setting up a seperate authentication service which serves both apps (a third app) - which works like having your own OAuth service. – max Oct 22 '18 at 16:52
  • That's why I asked those who had an experience of building such systems. Single Sign On is cool, but it seems a bit of overkill for me. My initial idea was about using JWT tokens, but maybe it could be possible with reusing cookies as well – Ilya Konyukhov Oct 22 '18 at 17:10
  • "Whats the best way to do X?" type questions are [off-topic on Stackoverflow](https://stackoverflow.com/help/dont-ask) since its a Q&A site for questions that can be answered and not just discussed. You might want to try reddit or somewhere else for general advice. – max Oct 22 '18 at 17:15
  • Just found [some](https://stackoverflow.com/questions/10960131/authentication-authorization-and-session-management-in-traditional-web-apps-and?rq=1) [questions](https://stackoverflow.com/questions/20689759/api-authentication-for-user-logged-in-to-a-web-app-server?rq=1) about the same topic which are even more generic but were warmly welcomed here. But they are old :( – Ilya Konyukhov Oct 22 '18 at 17:41
  • SO was a lot more lax when it was a small - but as it grew we need to become more selective as a community to avoid it becoming a discussion forum or garbage heap of unanswerable questions. – max Oct 22 '18 at 17:49

0 Answers0