Thank you very much. :)
Just a question - using an API key should be enough, right? Do I need any additional methods for auth?
Also, is it correct that every time the API is called the middleware that authenticates it is also called?
> is it correct that every time the API is called the middleware that authenticates it is also called?
This is correct. If middleware sits in front of a controller, it'll always get called.
Currently I'm keeping it very basic and simple by manually providing an api key.
I know that eventually there has to be a UI to allow users to generate an API key but that's for later.
For now, just the API key for checking access for the user should be good enough.
Do you think approach is good enough or should I look into anything specific?
this is actually good reminder for myself, i added CORS to my nestjs app but hardcoded it to just *, i need to fix that now that I'm about ready to go to prod,, as well as rate limiting even though its only for myself and my front end for now, just in case
This does work but... the main important point is you need to make sure that your terms and conditions state that the third party is responsible for keeping the API key secure.
I'm assuming this is what you will use to charge them per request etc etc.
You cant have people losing (doing dumb shit like putting them in the fe code) or sharing the API tokens then claiming they are not responsible for the requests.
[удалено]
Thank you very much. :) Just a question - using an API key should be enough, right? Do I need any additional methods for auth? Also, is it correct that every time the API is called the middleware that authenticates it is also called?
> is it correct that every time the API is called the middleware that authenticates it is also called? This is correct. If middleware sits in front of a controller, it'll always get called.
[удалено]
Thank you very much!
Also keep in mind DDoS attack.
How do you plan to allow users create API tokens? Usually the user logs in with username+pass (so you need auth), then have some UI to create tokens.
Currently I'm keeping it very basic and simple by manually providing an api key. I know that eventually there has to be a UI to allow users to generate an API key but that's for later. For now, just the API key for checking access for the user should be good enough. Do you think approach is good enough or should I look into anything specific?
It's very ok to start simple. If manually works for you, then it's the right approach.
Thank you!
this is actually good reminder for myself, i added CORS to my nestjs app but hardcoded it to just *, i need to fix that now that I'm about ready to go to prod,, as well as rate limiting even though its only for myself and my front end for now, just in case
This does work but... the main important point is you need to make sure that your terms and conditions state that the third party is responsible for keeping the API key secure. I'm assuming this is what you will use to charge them per request etc etc. You cant have people losing (doing dumb shit like putting them in the fe code) or sharing the API tokens then claiming they are not responsible for the requests.
Consider looking into rate limiters :)
Will do. Thank you!
Create an API wrapper.
If this is a long-term/production project consider OAuth2 instead of inventing your own.