The final OAuth secured Node.js API code sample, referenced in my blog at https://authguidance.com:
- The API has a fictional business area of
investments
, but simply returns hard coded data - The API takes finer control over OAuth and claims to enable the best security with good manageability
- The API uses structured logging and log aggregation, for the best supportability
The API can run as part of an OAuth end-to-end setup, to serve my blog's UI code samples.
Running the API in this manner forces it to be consumer focused to its clients:
The API's clients are UIs, which get user level access tokens by running an OpenID Connect code flow.
For productive test driven development, the API instead mocks the Authorization Server:
A basic load test uses promises to fire 5 parallel requests at a time at the API.
This ensures no concurrency problems, and error rehearsal is used to ensure useful error responses:
API logs can be analysed in use case based manner by running Elasticsearch SQL and Lucene queries.
Follow the Technical Support Queries for some people friendly examples:
- Ensure that Node.js 20+ is installed
- Integration tests run Wiremock in Docker, so ensure that Docker is installed
Run the API with this command:
./start.sh
Configure DNS by adding these domains to your hosts file:
127.0.0.1 localhost apilocal.authsamples-dev.com login.authsamples-dev.com
Then call an endpoint over port 446:
curl -k https://apilocal.authsamples-dev.com:446/investments/companies
By default, SSL trust is managed by setting a NODE_EXTRA_CA_CERTS
environment variable.
This points to the development root CA downloaded to ./certs/authsamples-dev.ca.pem
.
If you have an existing trust file, you will need to the add this certificate to it.
Stop the API, then re-run it with a test configuration:
npm run testsetup
Then run integration tests and a load test:
npm test
npm run loadtest
- See the API Journey - Server Side for further information on the API behaviour
- See the Overview Page for further details on running the API
- See the Coding Key Points Page for key implementation details
- Node.js with TypeScript is used to implement the REST API
- Express is used to host the API over SSL
- AWS Cognito is used as the default Authorization Server
- The jose library is used to manage in memory validation of JWTs
- The project includes API deployment resources for Docker and Kubernetes