Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NodeJS/express - security for public API endpoint

I'm developing my web-site project based on NodeJs/Express, and for some UI parts I'm using Jquery ajax request to fetch secondary data.

How can we handle some basic control on our Rest API end-points that are used for ajax calls by the browser? I was thinking about some kind of token authorization , but it can be also used by other clients (scripts etc.) once it has been intercepted , so how can we protect our server from unwanted requests? What other controls should be used in this cases (recognize too many request from same client, clients black list,etc)?

like image 470
MQ87 Avatar asked Sep 26 '15 18:09

MQ87


People also ask

How can you protect an endpoint from unauthorized access in NodeJS?

You'll rely on a middleware function to protect an Express API endpoint. Express will execute an authorization middleware function before it executes the callback function of the controller that handles the request. You can use two patterns to integrate your endpoints with the authorization middleware function.

How do I restrict API access in NodeJS?

In a nutshell, you can't. Restricting access would more commonly require a user login or some credential like that (probably setting a cookie that you can check) and then if you see that your APIs are being abused, you can ban/remove a specific user account that is doing it.


1 Answers

There are three main topics Authentication, Authorization, Security. I will give links and only shortly answers. Subject is enough big to write few books.

Authentication - who is the one who is making request. There are many 'strategies' to authentication user. Please check most pupular module for this : http://passportjs.org/docs.

Of course you can inplement one or more of this strategies alone.

For stateless authentication jwt tokens are very convenient. If you want to code it yourself (Passport has this strategy) check this link (one of many in web) https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens.

How to prevent from token interception? Use always https and set token expiration time short.

Where to store your token client side? for detail look at this https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ In short don't store in web storage because of XSS attacks. Use cookies, when they are correctly configured they are safe (more in attached link), if not configured they are very exposed to threats.

Authorization : we know user, but he has access only to some resources. Please check https://github.com/OptimalBits/node_acl There is gist with node_acl and passport : https://gist.github.com/danwit/e0a7c5ad57c9ce5659d2 In short passport authenticate user. We now who want what. We setup roles and resources and define roles and resources relation. Then we set for each user roles. Module will check for us user permission.

Security: please look for this subject in documentation of sails framework http://sailsjs.org/documentation/concepts/security they describes attacks and how framework prevent form them. I write about express:

DDOS: (part of your question "too many request from same client") "At the API layer, there isn't much that can be done in the way of prevention". This is subject most for servers admins. In short use load balancer. If it is one IP (not hundreds) then blacklist or deley response (for start look at this https://www.npmjs.com/package/delayed-request but I thing that solution must be more sophisticated).

CSRF: "type of attack which forces an end user to execute unwanted actions on a web application backend". Look at this module https://www.npmjs.com/package/csrf

XSS: "type of attack in which a malicious agent manages to inject client-side JavaScript into your website" don't trust any data from user. Always validate, filter, santize. Look at this https://www.npmjs.com/package/xss

In documentation of sails, there is more attack types but above are most popular.

like image 101
Krzysztof Sztompka Avatar answered Oct 18 '22 11:10

Krzysztof Sztompka