I am currently building on Vercel an use the serverless functions as an API.
All functions are available in <URL>/api/<FUNCTION_NAME>. I want to only allow my web page the access to the API but I have no idea how. I don't have any Authentication / JWT system in place because it is a fairly simple app.
In AWS I normally use something like IAM authentication or a simple API Key.
What are best practices for that or what is the suggested way to do this? I am not sure if I look at the problem completely wrong but I don't find many resources for that.
Thanks!
Sandro
As mentioned in here, you actually can use a simple method using QUERY. For example you can run a function to authorize it if QUERY.SECRET_KEY is equal to the secret key that you saved somewhere else on your code eg. env variable. Or using the same method, you can now use the authorization header that is sent by client. Here the example. You can use anything that suits you. It's just about personal preference. Hope it helps.
Related
I have an application with (nuxt js using nuxt-auth) with local authentication so far (later I want to add git and google auth).
Now I need to add authentication to invoke other services / API (like google cloud rest API, payment system, youtube API, etc...)
The question is: the user is authenticated only once (during login to the application.) but each of these 3rd party APIs has its own authentication.
How to implement multiple authentications. (I read the documentation and google for the entire day but there is no clear answer).
As of today, it looks like it is not doable (people are needed on this module): https://github.com/nuxt-community/auth-module/issues/889
So, you would need to make it manually by plugging the APIs yourself.
Answer to your latest question~comment
Nuxt is indeed nice with some of it's modules (but you can totally dislike it, no problem :D).
First thing that you need to know, is that this project (nuxt-auth) is not the biggest one, #pooya is doing his best but he is on a lot of projects, so he cannot give all of his love to it. Then, you also need to understand that it's working great but it's still in a decent beta state with a lot of missing features, needed documentation and a lot of small things to make it an all rounded solid top notch solution.
That do not mean that you should not use it, I'm just saying that this module do have some limitations. Hence, the fact that it is not supporting a whole lot of OAuth solutions in a clear + simple + flexible way. And some breaking changes may be introduced in future updates.
The module is aimed towards having an OAuth solution to block the content of your website behind it (in my opinion). It means that you will usually use a single login solution and then, being able to have access to your app. I don't think that it's a viable multi-OAuth solution (yet).
Some services don't even need to use a solution like this. Stripe for example, should not be handled on the frontend but communicate with a backend for sensitive variables and just send minimal info thanks to Stripe Elements.
That said, the most common solution is JWT or OAuth2, and you could totally have a backend service or service like Okta, Auth0 or alike, do the heavy lifting by allowing simple logins to providers (Github, Google etc...).
To sum up, you do connect to this backend/service thanks to nuxt-auth, the service itself does the provider connection and you get the best of both worlds while still connected in a secure way through your initial nuxt-auth entry point login.
Or you could try to reach the community on Discord, see if somebody knows how to do it. Or even try to read the source code to see if it is currently feasable.
And that's my 2cts.
Are there any downsides to use directusSdk instead of making GraphQL requests?
According to documentation; My front-end can log in users and make requests through javascript SDK.
I would say using the SDK is a great option and is something I choose to do myself where possible, I believe that the Directus application uses it too, therefore it is well looked after 😌
I've been searching about call an Azure function from CRM using ouath2, all the information that I found is about using function key to call the Azure functions from Dynamics 365.
Please if someone knows, please let me know if ouath2.0 is possible and how I can implement it?
I opened up a github issue to get update from Microsoft on this topic (as I know this is a challenge for a long time), it is still not positive, but may get some feature in near future. Until then we may have to use HttpClient in plugin directly instead of webhook.
This is a known challenge which Web Hooks doesn't even attempt to
address. Your options are limited. So this is a feature request rather
than a documentation issue.
If you attempt to call such an authenticated service using an
HttpClient in a plug-in, you have more options. But none of them today
represent best practices that we would recommend specifically at this
time, although I see people making them work in community posts.
Setting a certificate or secret value within the secure configuration
of the plug-in seems to be the best solution I've seen. But we are
looking to provide something better.
Has anyone managed to create a custom integration between Zapier and Xero by using the 'Webhooks by Zapier' option and a private connection on the Xero side?
At the moment Xero uses Oauth-1a to create sessions and I can't figure out how to even approach this.
I know Zapier has a normal integration with Xero, however I am interested in doing something which isn't available in their integration (create manual journals) and for this I need to figure out how to do the connection manually.
Thanks
Have you taken a look at Xero's Private Application Auth documentation? The private key you create becomes your Consumer Key for API calls. Unfortunately, from there, you do need to do a little coding to support Oauth1 in Zapier.
You have two options:
You could use a serverless function platform like Google Cloud Funtions or AWS Lambda to host your code and use one of Xero's SDKs (like pyxero). You then use a webhook step in Zapier to call the function.
This option is the most robust since and avoids Zapier code limits
You can use a Zapier code step to place the call. In order to do this, you will need to create your own Oauth1 header for your call. You can look at the post HERE by Eliot Muir.
You'll see on lines 32-34 of his example output the headers that need to be included. He has done the hard work of crafting them so you would just need to pull the relevant code and strategy.
This is the most streamlined solution, but you do have to deal with Zapier's lack of 3rd-party packages and a 10-second timeout
I built a web app in Laravel 5.2, and now, I would like to use Angular or Vue, so I am separating an API from my controllers.
Thing is actually, in my controllers, I use a lot :
Auth::user() to refer to the logged user.
What is the best way to deal with it???
Read books about API design. If the existing app isn't designed to be a RESTful API in the first place then you're in for a lot of learning. Laracasts has a great series called Incremental APIs.
Laracasts.com
Build APIs You Won't Hate
OK, I'm expanding my answer, despite this is not a great question, it is probably too broad. You need to look into Oauth 2.0 authentication for your API, you can still use a username and password, but OAuth 2.0 tokens over SSL is probably the best simple way to provide authentication for your API. If it is only used internally, or is read only then you may not really require authentication for the API at all. There's not enough information about your use case to even make a guess about that. Good luck!