-2

I have a node.js app which does authentication/authorization. I have an Azure Function which accepts auth token (validates and) executes the business logic behind (exposed through CORS). I have a static website with Angular app which redirects to node.js for auth, gets the token and calls Azure function (directly) with the same. For all subsequent requests from angular, we use the same token.

My fear: If any network sniffing tool gets hold of token, there could be a possible attack on our business, as the respective tool will have everything to execute Azure function(s) on user's behalf. I tested the same using cURL and was able to execute Azure function directly (with the token captured from dev tools).

Question:

  • Are there any flaws in above architecture
  • If so, what's the best approach
  • If not, is my fear valid?
  • Is it a good idea to expose Azure functions directly to public (even though it accepts only authorized requests).

Thanks

Baber Ali Siddique
  • 357
  • 4
  • 14
user203687
  • 6,875
  • 12
  • 53
  • 85
  • If all your traffic is https - it’s not exactly a simple feat to sniff traffic. If it was, every site with a username/password would be dangerous.. – MikeOne Oct 14 '21 at 17:06
  • Azure as well as any other cloud provider can be configured to accept request from certain ips. Also the proper way of requesting stuff to azure is within yow server, the client should only display data your node should serve the data. In your node before you request stuff to azure you need to check if the current IP is the same with the IP use to create the token – Ernesto Oct 25 '21 at 12:13

2 Answers2

1

For Azure functions using JWT token based authorization is easy to implement. Following discussion explains this well. Using JSON Web Tokens (JWT) with Azure Functions (WITHOUT using Active Directory) We have similar implementation with some variation.

DeepakP
  • 30
  • 3
0

Are there any flaws in above architecture

Of course there are

If so, what's the best approach

There are plenty

If not, is my fear valid?

somewhat, but if you haven't screwed auth part you should be fine ;)

Is it a good idea to expose Azure functions directly to public (even though it accepts only authorized requests).

Sure it is. Simply do the auth before you execute any business logic. You have your auth done (hopefully right), you most probably pass the token (I assume sth like Bearer JWT token in the header) in the header of HTTPS requests, so it is encrypted all together with the payload (this solely makes it quite hard to sniff out). I assume as well that you hold it in some place with restricted access like secure cookie or alike.

One thing to consider which you have not mentioned is to have token invalidation (for instance when user logs out) and reasonable expiry times (ofc those depend on you use cases). Maybe add drop-all-sessions button. There are plenty of strategies which harden your apis but never really get you there.

As a side note

From the experience, if AAD B2C is an option I would go for it for managing end users. Integrates quite well with Azure Functions, gives you oauth flows can integrate with 3rd parties + a fair bit of libraries to integrate it with you stack (historically quality of those varied), you can force MFA and it gives you MS quality potato stamp. IIRC major downside of it is that EasyAuth of doesn't work in you local dev env so you have to mock it up somehow.

gaa
  • 1,132
  • 11
  • 26