Skip to content

gary-archer/oauth.apisample.nodejs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits

.vscode

.vscode

 
 

data

data

 
 

deployment

deployment

 
 

images

images

 
 

src

src

 
 

test

test

 
 

.codacy.yaml

.codacy.yaml

 
 

.eslintrc

.eslintrc

 
 

.gitignore

.gitignore

 
 

.mocharc.json

.mocharc.json

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

api.config.json

api.config.json

 
 

downloadcerts.sh

downloadcerts.sh

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

run_api.sh

run_api.sh

 
 

start.sh

start.sh

 
 

tsconfig.json

tsconfig.json

 
 

Repository files navigation

Final OAuth Node.js API

Codacy Badge

Known Vulnerabilities

Behaviour

The final OAuth secured Node.js API code sample, referenced in my blog at https://authguidance.com:

  • The API has a fictional business area of investments, but simply returns hard coded data
  • The API takes finer control over OAuth and claims to enable the best security with good manageability
  • The API uses structured logging and log aggregation, for the best supportability

API integrates with UI Clients

The API can run as part of an OAuth end-to-end setup, to serve my blog's UI code samples.
Running the API in this manner forces it to be consumer focused to its clients:

SPA and API

API can be Productively Tested

The API's clients are UIs, which get user level access tokens by running an OpenID Connect code flow.
For productive test driven development, the API instead mocks the Authorization Server:

Test Driven Development

API can be Load Tested

A basic load test uses promises to fire 5 parallel requests at a time at the API.
This ensures no concurrency problems, and error rehearsal is used to ensure useful error responses:

Load Test

API is Supportable

API logs can be analysed in use case based manner by running Elasticsearch SQL and Lucene queries.
Follow the Technical Support Queries for some people friendly examples:

Support Queries

Commands

Prerequisites

  • Ensure that Node.js 20+ is installed
  • Integration tests run Wiremock in Docker, so ensure that Docker is installed

Run the API

Run the API with this command:

./start.sh

Configure DNS and SSL

Configure DNS by adding these domains to your hosts file:

127.0.0.1 localhost apilocal.authsamples-dev.com login.authsamples-dev.com

Then call an endpoint over port 446:

curl -k https://apilocal.authsamples-dev.com:446/investments/companies

By default, SSL trust is managed by setting a NODE_EXTRA_CA_CERTS environment variable.
This points to the development root CA downloaded to ./certs/authsamples-dev.ca.pem.
If you have an existing trust file, you will need to the add this certificate to it.

Test the API

Stop the API, then re-run it with a test configuration:

npm run testsetup

Then run integration tests and a load test:

npm test
npm run loadtest

Further Details

Programming Languages

  • Node.js with TypeScript is used to implement the REST API

Infrastructure

  • Express is used to host the API over SSL
  • AWS Cognito is used as the default Authorization Server
  • The jose library is used to manage in memory validation of JWTs
  • The project includes API deployment resources for Docker and Kubernetes

About

Final OAuth secured Node.js API Code Sample

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages