Protect API from calls outside of the private area

Reply to Protect API from calls outside of the private area on Wed, 17 Mar 2021 21:23:08 GMT

ec Organizer — Wed, 17 Mar 2021 21:23:08 GMT

@Daniel-Mulroy Hi Daniel, thanks! And sorry about the Dick Honing / ecOrganizer confusion. I created a second account to test the sharing settings before handing handing it over to third parties and somehow this account got stuck in Safari ...

Btw: can I contact you backchannel / via email?

Reply to Protect API from calls outside of the private area on Wed, 17 Mar 2021 10:31:56 GMT

Daniel Mulroy — Wed, 17 Mar 2021 10:31:56 GMT

Hi @Dick-Honing and @ec-Organizer,

It looks like you already have a token system for authentication.

A solution is to send that token along with every API call from the front-end.

Then, in your API functions, you 'check' the token before running the actual function/returning any data.

Something in Node.js might look like:

if (tokenIsValid(event.POST.token) === false) {
    callback(null, {status: "NOT AUTH"}); // handle this error on the client side
    return // stop code execution
}

// Then continue with your normal function code here

tokenIsValid, in this example, would check the token against the user database to ensure the token was valid.

Reply to Protect API from calls outside of the private area on Wed, 17 Mar 2021 09:34:31 GMT

ec Organizer — Wed, 17 Mar 2021 09:34:31 GMT

An area/web pages the user has access to after loggin in.

The private pages then all have the following additional bit of Javascript to protect these pages from direct access without having logged in first:

Now I also want to protect the API functions from being accessed by anybody what has not successfully logged into the private area ...

Reply to Protect API from calls outside of the private area on Wed, 17 Mar 2021 07:16:59 GMT

Wassim — Wed, 17 Mar 2021 07:16:59 GMT

Hi,

What do you call the private area?