javascript - Protect API routes in Node.js - Stack Overflow

admin管理员组

文章数量:1303046

I have some routes in my Node.js API sending data from a MongoDB database to an Angular 4 frontend.

Example:

Node.js route:

router.get('/api/articles', (req, res) => {
    Article.find({}, (err, articles) => {
        if(err) return res.status(500).send("Something went wrong");
        res.status(200).send(articles);
    });
});

Angular 4 service function:

getArticles() {
    return this.http.get('http://localhost:3000/api/articles')
    .map(res => res.json()).subscribe(res => this.articles = res);
}

The question is, how do I protect my Node.js API routes from browser access? When I go to http://localhost:3000/api/articles I can see all my articles in json format.

I have some routes in my Node.js API sending data from a MongoDB database to an Angular 4 frontend.

Example:

Node.js route:

router.get('/api/articles', (req, res) => {
    Article.find({}, (err, articles) => {
        if(err) return res.status(500).send("Something went wrong");
        res.status(200).send(articles);
    });
});

Angular 4 service function:

getArticles() {
    return this.http.get('http://localhost:3000/api/articles')
    .map(res => res.json()).subscribe(res => this.articles = res);
}

The question is, how do I protect my Node.js API routes from browser access? When I go to http://localhost:3000/api/articles I can see all my articles in json format.

• javascript
• node.js
• mongodb
• angular

Share Improve this question Follow asked Oct 19, 2017 at 3:07 mikebrsvmikebrsv 1,96022 gold badges2626 silver badges3232 bronze badges 2

• 2 You can't really. If you're going to expose an API for angular to use, then any web agent can call that API too. You can require a logged in account on your site that your server can verify before the API will respond, but that's about it for what you can do. There are various obstacles that can be put up to make it more difficult to access from outside your angular code, but none are secure vs. a determined hacker. – jfriend00 Commented Oct 19, 2017 at 3:11
• @jfriend00 Thanks, your ments here are highly appreciated. My goal was merely to prevent public API routes from being accessed directly via browser. I use tokens where user authentication is required. – mikebrsv Commented Oct 19, 2017 at 17:29

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 4

This is not a security measure, just a way to filter the request. For security use other mechanisms like JWT or similar.

If the angular app is controlled by you then send a special header like X-Requested-With:XMLHttpRequest (chrome sends it by default for AJAX calls) and before responding check for the presence of this header.

If you are really particular about exposing the endpoint to a special case use a unique header may be X-Request-App: MyNgApp and filter for it.

You can't really unless you are willing to implement some sort of authentication — i.e your angular user will need to sign into the api.

You can make it less convenient. For example, simply switching your route to accept POST request instead of GET requests will stop browsers from seeing it easily. It will still be visible in dev tool or curl.

Alternatively you can set a header with your angular request that you look for in your express handler, but that seems like a lot of work for only the appearance of security.

Best method is to implement an authentication token system. You can start with a static token(Later you can implement dynamic token with authorisation).

Token is just a string to ensure the request is authenticated.

Node.js route:

router.get('/api/articles', (req, res) => {
    let token = url.parse(req.url,true).query.token;   //Parse GET param from URL
    if("mytoken" == token){         // Validate Token
       Article.find({}, (err, articles) => {
        if(err) return res.status(500).send("Something went wrong");
        res.status(200).send(articles);
       });
    }else {
       res.status(401).send("Error:Invalid Token"); //Send Error message
    }

});

Angular 4 service function:

getArticles() {
    return this.http.get('http://localhost:3000/api/articles?token=mytoken') // Add token when making call
    .map(res => res.json()).subscribe(res => this.articles = res);
}

With Express, you can use route handlers to allow or deny access to your endpoints. This method is used by Passport authentication middleware (which you can use for this, by the way).

function isAccessGranted (req, res, next) {
  // Here your authorization logic (jwt, OAuth, custom connection logic...)
  if (!isGranted) return res.status(401).end()
  next()
}

router.get('/api/articles', isAccessGranted, (req, res) => {
  //...
})

Or make it more generic for all your routes:

app.use('*', isAccessGranted)

本文标签： javascriptProtect API routes in NodejsStack Overflow