{"id":262,"date":"2022-05-18T10:48:28","date_gmt":"2022-05-18T08:48:28","guid":{"rendered":"https:\/\/www.davel.fr\/techblog\/?p=262"},"modified":"2022-05-18T10:58:31","modified_gmt":"2022-05-18T08:58:31","slug":"rest-api-after-crud","status":"publish","type":"post","link":"https:\/\/www.davel.fr\/techblog\/2022\/05\/rest-api-after-crud\/","title":{"rendered":"Rest API : After CRUD"},"content":{"rendered":"

(originally posted on https:\/\/dev.to\/davel_x\/rest-api-after-crud-406n<\/a>)<\/p>\n

Hello and welcome to my first "technical" article since a very long time. Last one was on a time when Adobe Flash and Facebook Applications were still a thing. (and maybe you\u2019re too young to know what I\u2019m talking about 😀)<\/p>\n

Context<\/h2>\n

I\u2019ve been developing a REST API recently and I knew quite exactly what to do but I still keep on reading articles about API development to see if there\u2019s new techniques that I don\u2019t know about.<\/p>\n

A lot of theses articles are really good to start building a REST API, like these ones for example :
\nhttps:\/\/dev.to\/beznet\/build-a-rest-api-with-node-express-mongodb-4ho4<\/a><\/p>\n

https:\/\/dev.to\/nditah\/how-to-build-a-rest-api-with-node-prisma-and-postgresql-429a<\/a><\/p>\n

But is it enough to code a CRUD - well more a GPPD (GET-POST-PATCH-DELETE) but let\u2019s stick with readable acronyms 😀 - to put your api in production ?<\/p>\n

Well no, not really and I found myself implementing a lot of annex features that are however pretty essential.<\/p>\n

As I work with nodejs\/express, I will focus on tools\/code for javascript but the underlying concepts are pretty common.<\/p>\n

<\/p>\n

Who are you? Who, who, who, who?<\/h2>\n

Articles about Authentication<\/strong> are not really rare.
\nIt's main purpose is to prepare the request for authorization (we'll get there) and\/or filter the endpoints return values.<\/p>\n

An example ?<\/strong>
\nImagine you work with several companies that uses the endpoint POST \/users<\/code> to add new users to your services and GET \/users<\/code> to retrieve the users list. You'll want to automatically set a reference to the company on the first endpoint and exclude other companies users on the second.<\/p>\n

You could send an api_key to your partners that they would add to the endpoints requests (in the header, the query, etc.) so a simple db request would be enough to know who is interacting with your API.<\/p>\n

Here\u2019s a few solutions to get who your API caller is if you need :<\/p>\n

External services<\/strong> like Auth0 (https:\/\/auth0.com\/fr<\/a>) that also provide authorization services - see below - security protection, etc.<\/p>\n

Libs<\/strong> like passportjs (https:\/\/www.passportjs.org<\/a>) where you can customize as you wish the authentication process (JWT, sessions, apiKeys, oAuth...).
\nYou\u2019ll find a lot of examples here : https:\/\/dev.to\/search?q=passport<\/a><\/p>\n

DIY<\/strong> with the solution that you prefer.
\nFor example with JWT : https:\/\/dev.to\/perrydbucs\/using-jwts-for-authentication-in-restful-applications-55hc<\/a><\/p>\n

For my API I wanted to use APIKey in http bearer AND a JWT in HTTPOnly cookie so I choosed passportjs that is common, reliable and has a lot of features.<\/p>\n

You don't own me (I'm not just one of your many toys)<\/h2>\n

Ok, now you know who is calling (the "user") you may have the need to restrict some endpoints : does the user can see the resource, can interact with the resource or not ? That's Authorization<\/strong>.<\/p>\n

An example ?<\/strong><\/p>\n

"Umbrella Corporation" calls the endpoint POST \/virus<\/code> with it's API_Key. Alas, this endpoint is only accessible by Admin Users and Umbrella is not one of them. The endpoint should return response with the HTTP error code 403 (https:\/\/en.wikipedia.org\/wiki\/HTTP_403<\/a>).<\/p>\n

Some of the ways to discriminate users are :<\/p>\n

RBAC<\/strong> just add a role in the User entity of your base and checks on each request if the current user has the correct role(s) to access the resource. (I know my explanation is simplified)<\/p>\n

ACL<\/strong> More granular than RBAC, this time each object has a list of users\/roles\/groups with the action authorized for each one of them. Thats very powerful but often really painful to manage on small to medium projects.<\/p>\n

ABAC<\/strong> Permissions are based on attributes (you choose) of the object to check. creator<\/code>, status<\/code>, whatever you want can be used to make rules to verify if the user has permissions.<\/p>\n

Here are some tools that can help you handle authorization with nodejs :<\/p>\n