This article is part of the ‘Developer Series’ and is intended for software developers undertaking the challenge of correct API design. Throughout the series the developer will gain knowledge and build confidence around the industry practiced methodologies relating to the planning, design and development of application programming interfaces.
In our previous API we learnt how to design a basic RESTful API with a handful of endpoints. It familiarized ourselves with the usage of the HTTP verbs (GET, POST) as well as how to separate certain related functions in to route groups which we conveniently placed inside a controller class.
But there is one glaring problem staring as us right now. How do we prevent unauthorized access to our resources?
Security, including authentication and authorization, in any application regardless of programming language can be a real pain. This is predominantly because it requires a significant amount of thought and planning and a great amount of care during development. For this reason most developers try to avoid confrontation when presented with this challenge.
For our NodeJS API we are fortunate to make use of the excellent PassportJS middleware. Being middleware the library interfaces between our RESTify API and our intended code. By doing so it is able to intercept the request traffic, inspect it and provide authentication to it.
PassportJS provides us with convenient plug-ins called Strategies. It is a very appropriate name because authentication is largely built around a strategy and to date there are over 300 strategies available for use on their website ranging from simple authentication to the more complex authentication against other providers.
To demonstrate some core concepts our API will be making use of two strategies intended to showcase the versatility of the PassportJS middleware.
Up Next: Visualizing the API