This is the backend repository of Password Manager
The backend is hosted on Azure and the architecture is:
The backend contains following resources:
- KeyVault (PasswordManagerVault) - This stores all the secrets for the password manager, and also the encyrption key. This has network restrictions in place which only allows for vNet addresses to access the Keyvault. Along with this, it has Access Policies in place to ensure only the function app is able to access the keyvault secrets and keys.
- Function App (passwordmanagerfn) - This hosts all the APIs. This is also network restricted within the subnets of the Virtual Network, so it is inaccessible from any other IP. Along with this, the function app is also protected by Azure AD, so for one to access the APIs they must have the function code + valid access token.
- App Service Plan (passwordmanagerfn) - This is the app service plan on which the function app is hosted.
- Application Insights (passwordmanagerfn) - This is where all the function app logs are recorded and can be used for analysis and request tracing.
- Storage (passwordmanagerfn) - This is utilized by the azure function app.
- Virtual Network (PasswordManagerVNet) - This helps to secure resources, ensuring they are only accessible within the VNet, and not from amy other IP.
- API Management (PasswordManagerVNet) - This is used to expose the APIs to external applications, while ensuring security. For someone to access these APIs, along with the APIM subscription key, they will also need to pass the Azure AD access token.
- API can only be accessed via APIM
- To access API, one needs APIM subscription key + Azure AD account
- Function App API are inaccessible to external applications because of the VNet
- Keyvault is inaccessible to anyone except function app because of the VNet + Access Policy
- The secrets sent over the API are encrypted and can be decrytped only by the end application, thus there is no risk of security credentials leak over API calls.