API security is one of the most important aspects of designing and implementing REST APIs. Without adequate security, it does not really matter what other design principles have been taken care of. In this article, we will see about the different types of functional attacks possible on the API path length and how to authenticate REST APIs using Tokens. We will also implement this by creating a NodeJs API and integrating JsonWebToken (JWT) in it.
Before we get started, let us see the basic difference between Authentication and Authorization.
- Authentication: It is the process to verify that you are really who you claim to be. With authentication, APIs verify that the request is coming from its trusted list of sources.
- Authorization: It is the process of checking whether you have access to a certain resource. Like a client can be a trusted source for an API but that particular client might not be authorized to view some confidential data.
At what points attacks might happen?
Attacks can happen at multiple points on the API path length. Like a hacker can attack directly the client and intercept the data, also the hacker can exploit any vulnerability on the API gateway and he can also breach the firewall to attack the application server directly or the database.
Types of functional Attacks:
- Data Theft: Here the attacker breaks into the system to steal confidential data like bank details of a person, credit card details, etc.
- Data Manipulation: Here the attacker tries to change/alter the data that is being transferred.
- Identity Theft: In identity theft the attacker gains personal information of a victim by deception and misuse that information in the victim's name
- DOS Attack: Denial Of Service(DoS) is an attack where the attacker tries to stop genuine clients from accessing the server by flooding the application server with traffic or sending requests that causes the server to crash
API Authentication is one of the ways to prevent these types of attacks. Next, we will look into Token Based Authentication which is being widely used now-a-days.
Token Based Authentication
Token based authentication requires the client to request a token from the server. The server after receiving the request verifies the client and sends back a token to the client. The client on each subsequent request to the server should send the token else the request will be rejected.
JSON Web Tokens:
A JSON Web Token is an open standard for securely transmitting data between two parties as a JSON object. It is self-contained, means all the information required to verify a client is contained in the token itself.
This is how a JSON Web Token looks like:
As we see a JSON Web Token contains three parts:
- Header: This contains metadata which is hashed using any algorithm like HMAC and is base64 encoded
- Payload: This contains the claims, which is some set of data like who is the issuer, expiry timestamp of the token, etc. This is also hashed and base64 encoded
- Signature: This is the combined hashed value of header and payload and is also encrypted using a secret key
Here is a basic example of integrating JWT authentication in NodeJS. For this, we have used the npm package jsonwebtoken.
 |
| NodeJS code for JWT integration |
Here we have created a /token endpoint which takes id and password and validates it with a static user credential. If the id and password matches then we create a token using a private key. Here we have hard-coded the private key but generally it should be read from a separate file or environment variable. Then we return the created token to the client. If the credentials do not match we send an unauthorized response.
Then we have an authentication middleware, which extracts the value from each subsequent request header and verifies it. If success then we send back a message stating the client is verified else if it fails in the auth middleware then we send an unauthorized response.
Then we have an authentication middleware, which extracts the value from each subsequent request header and verifies it. If success then we send back a message stating the client is verified else if it fails in the auth middleware then we send an unauthorized response.
Here is a working demo of the above code. We have used Postman here for trying out the APIs.
Hope this article has given a clear concept on API security and about JWT authentication. You can get the above code in this link. Do mention your thoughts and views in the comments. Stay Safe and Happy Coding!
0 Comments