简体繁体 English

ExpressJS REST API-仅供内部使用的端点的最佳实践

[英]ExpressJS REST API-Best practice for internal use only endpoints

原文 2016-02-04 01:49:26 9 2 node.js/ rest/ express

Use case: I'm building a MEAN stack web app that adds functionality on top of an existing API service. 用例：我正在构建一个MEAN Stack Web应用程序，该应用程序在现有API服务之上添加功能。 Said service publishes an array of approximately 800 objects (that will grow by less than 25 objects a week). 所述服务发布了大约800个对象的数组（每周将增长少于25个对象）。 In order to avoid adding lots of load to this service and to speed up performance on my app I would like to "cache" the objects in my application. 为了避免为此服务增加很多负载并加快应用程序的性能，我想在应用程序中“缓存”对象。

My question is what would be the best practice for keeping this "cache" up to date? 我的问题是使此“缓存”保持最新状态的最佳实践是什么？ Express naturally lends itself to RESTful CRUD operations but I don't want to expose a public endpoint that would allow anyone to add or modify the objects from the external service. Express自然很适合RESTful CRUD操作，但是我不想公开允许任何人从外部服务添加或修改对象的公共端点。

What is the best way to restrict access to endpoints that will only be used by the application itself? 将访问限制为仅由应用程序本身使用的端点的最佳方法是什么？ Does it require a full fledged authentication scheme or is there a way to simply ignore requests that don't come from within the application itself? 它是否需要完整的身份验证方案，还是有办法简单地忽略不是来自应用程序内部的请求？ Or should this be done using something other than a RESTful api endpoint? 还是应该使用RESTful api终结点以外的方法来完成此操作？

2 个解决方案

The simplest of all solutions would be basic auth which is totally okay if you use SSL. 所有解决方案中最简单的就是基本身份验证，如果您使用SSL，则完全可以。 A more sophisticated solution would be Oauth2. 一个更复杂的解决方案是Oauth2。

If you don't want to implement an authentication strategy you could require a client certificate in your new MEAN stack service (2waySSL with behavior "Client Certs Requested And Enforced"). 如果您不想实施身份验证策略，则可以在新的MEAN堆栈服务（行为为“请求并强制执行客户端证书”的2waySSL）中要求客户端证书。

还可以结帐Express-JWT ， JWT或JSON Web令牌，这是向API添加身份验证的简便方法。