Is there advantages/disadvantages in these approaches?
I saw some programers using /api as reverse proxy to the API. Some are using api directly in clients.
I have an application with clients as React and mobiles. Not sure about best approach here.
As one disadvantage of /api - in case of Web application down our API will be unavailable for mobiles too.
Related
I have a vue.js frontend and I need to make api calls to an external api which doesn't allow cross-origin.
Is there a way to proxy this in the vue frontend, in development I used a devServer proxy and this worked. I could always forward it through my own spring backend but this seems like a worse solution then just proxy in the fontend.
You can't do it in production, proxy through bachend server seems right solution for you.
Also you can do a lot of stuff, like caching answers from external api, working with data immediately, without additional frontend work. Just try to do it.
If i were you, i'd just create/add separate service on backend that should work with that api.
I'm having an issue with a project I'm working on. I have a Vue client which does API calls to my backend which is written in .NET Core 3.1. Both these applications are deployed on diffent servers.
Now the problem is that my backend server does not allow me to do API calls straight from the browser. So I have to do some kind of 'redirect' on the client server to reach my API.
So for example:
If I call backend_server/api/values I get an error (Firewall).
I think I should make like a second API or something, but I'm not sure how to handle this issue.
Does anybody have any experience on this? Any help is welcome!
Kind regards
You can have multiple options here
Remove the firewall rule -
This will allow your API to get hit from browser. If firewall is not managed by you you can't do this
Add IP or Port exception rule in firewall -
Instead of deactivating the entire inbound rule on server, you can allow specific ports or IP on firewall. Again if you have control on firewall
Create Proxy API -
Another way is you can create a middleware API that forwards your request and acts as a proxy. This will suffice performance, resource, time and compromise security. I recommend not to do this, But it's easily possible in .NET Core
Specify CORS policy -
If your Vue.js and API originates from same origin (IP), You can configure CORS in server which will restrict access to API only from same origin. That means only www.google.com can access GoogleAPI, Likewise. This will protect the API from other origins
Tunnel via VPN -
If security is a concern, Use a VPN service to tunnel your API requests. This can't be possible for every client using your web service.
The best way is to open a specific rule on server for your application if possible. Writing a proxy in between will have lot of disadvantages although can be accomplished.
I'm currently developing an HTML5 mobile web app for Blackberry using WebWorks that interacts with a 3rd party API.
Unfortunately i can't use the API directly from the mobile app due to the cross domain requests constraints, so i'm considering the development of a Web Proxy that interacts with the API and serves the web app.
Since I've never done such thing i would like to get some recommendations, i'm going to use Microsoft technologies (.NET) to achieve my purpose.
I'm thinking about a WCF service that makes all requests to the API and the mobile client connects to the WCF service to get the data, but i think i'll have the same cross domain requests limitation anyway so it might not work.
First, check with your third-party API provider if they support CORS. If they do, you can get around the same origin policy restrictions. Assuming they don't, you can create a facade service using ASP.NET Web API instead of WCF. ASP.NET Web API is designed from the ground up for creating HTTP services for broader reach and there is no SOAP involved.
From your ASP.NET Web API, you can make a HTTP call using HttpClient and simply pass the request to the third party API and echo the response back to your app. As you rightly said, the same origin policy restrictions will apply to this case as well but you have more control over the server side. You can implement CORS in ASP.NET Web API and that way your BB WW app can still call your web API despite being in different origins.
I'm developing an Rest API in Node.js / express to expose resources (to Backend). And another web application that manages Sessions and interacts with the Rest API (to Frontend).
API and WEB_APP, is in same domain, with subdomain in both:
Backend: api.example.com
2 Frontend: www.example.com
The web application is accessed from client with angular.js.
The architecture would be for two situations:
Main_Rest_API <-> WEB_APP <-> Browser_User
Main_Rest_API <-> Rest_SDK <-> Client
My question is:
This architecture is consistent?
What would be the best way to implement this scheme?
Update:
I have to implement this architecture to provide Restfull via OAuth2 to third-party clients also
I don't really understand your question,
are you sure that you need separate servers for serving the web app and for the API? you'll need to handle cross domain requests this way.
if you don't actually need two servers, it'll be simpler to have one app, where /api/ routes (for example) are the REST API. then your AngularJS app can make AJAX requests to /api/
and / will serve the JavaScript web app.
again, I don't understand your question for the case you do need two separate servers.
We wish to build a web app that will consume our REST API and looking for a way to circumvent the Same Origin Policy security feature.
We have a REST API which is served from api.ourdomain.com from SERVER_1.
We have a Web App which is server from dashboard.ourdomain.com from SERVER_2.
The Web App communicates with the REST API using ajax calls that include GET, POST, DELETE and PUT requests.
At some point in the future, we might consider allowing 3rd party sites to access the API from their own sites and domains.
Due to the Same Origin Policy security feature of the browsers, these requests are not allowed.
We are looking for ways to circumvent this.
Solutions we have encountered:
Tunneling the requests through our proxy. This will slow down the app and requires more resources.
JSONP - Will only work for GET requests. We do not wish to overload the GET requests with post/put/delete capabilities.
Using an iFrame with document.domain set to the same domain. Will only work for sites under ourdomain.com.
Frameworks such as EasyXDM. Seems like a good solution.
Thank you!
I don't know EasyXDM but I have the same architecture you are talking about in more than one application. We use your suggested solution (1). In my opinion proxying the requests through a common subdomain is the cleanest solution. I don't think that this is a performance problem. Many sites use something like nginx anyway to do some sort of reverse proxy (as cache). You could easily tunneling your API through http://[yourhost]/api and the rest of the HTML, CSS and image resources through other paths.