Microservices API Authentication with API Gateway in NodeJS/Express

Question

I'm creating a Microservice architecture using Node JS and Express. I know that one of the main features of Microservices are a service oriented architecture where teams can design, develop and ship their applications independently. So in my design I think that each microservice offers their APIs and they communicate between each other with the API in this way each Microservice is independent and have it's own life waiting for request.

I am writing this question because I have several doubts about authentication and communication between microservices.

For the autentication I have made some test with JWT to authenticate the API of a Microservice and all works fine, this is an example of express middleware for authentication:

const tokenCheck = (req, res, next) => {
  let token = getToken(req);

  if (token) {
    jwt.verify(token, "password, (err, decoded) => {

      if (err) {
        throw "Failed to authenticate token.";
      } else {
        req.user = decoded;
        next();
      }
    });
  } else {
    throw "No token provided.";
  }
};

Used in this way:

router.get("/", tokenCheck, Controller.get);

So each route is protected with a layer of autentication.

Instead about communication between microservices I read the best way is to use an API Gateway and I found this library to do it, furthermore i read that it's better to add the authentication middleware inside the API Gateway because if you re-implement these things in each single microservice, you are duplicating the code at first, but more importantly you have two different pieces of software to maintain.

Now my question are two:

1) Is right use an API gateway like this to make communication between microservices?

2) If I move the authentication middleware from the microservices to the API Gateway I have to remove the middleware from the API routes and in this way the API will be unprotected if someone other than the gateway make requests and I think this is wrong because anyone can call that routes, instead if I mantain the middleware also is the mircorservice the code is duplicated, can anyone tell me what is the right way to do it?

Answer 1

I have been working on Node.js from past couple of years and here is my understanding, hope this helps you clear your thoughts.

The answer to your question:

Let me explain to you the work of both the parts you have stated in the question.

• http-proxy-middleware

  • Proxy: In simple words, the proxy means duplicate clone to turn your traffic too.
  • Read more: What is the proxy server?

• Your custome middleware

  • Your custom middleware is the project specific code to check if all the requests are authenticated.
  • It would check if the request has a token and if the token is valid.

Conclusion:

• You need your custom middleware compulsorily. Another one (http-proxy-middleware ) is optional.

Update:

Now my question are two:

1. Is right use an API gateway like this to make communication between microservices?

Answer: No, it is not the right way.

2. If I move the authentication middleware from the microservices to the API Gateway I have to remove the middleware from the API routes and in this way the API will be unprotected if someone other than the gateway make requests and I think this is wrong because anyone can call that routes, instead if I mantain the middleware also is the mircorservice the code is duplicated, can anyone tell me what is the right way to do it?

For this, you can impose the authentication middleware on app so that all the routes execute the middleware. Update your server code.

// Init App
const App = Express();
// Authentication code
App.use((req, res, next) => {
let token = getToken(req);

  if (token) {
    jwt.verify(token, password, (err, decoded) => {

      if (err) {
        throw "Failed to authenticate token.";
      } else {
        req.user = decoded;
        next();
      }
    });
  } else {
    throw "No token provided.";
  }
});