0

I am trying out seperated infrastructure for the first time. By seperated infrastructure, I mean I have 2 seperate apps:

  1. Rails app that only serves as an API service
  2. Angular app that takes care of all the front-end stuff

Currently it's a very simple process (as I'm learning more about integrating 2 apps). I understand that the communication between to platforms should be secured with some sort of Token based auth etc. I had a look at devise_token_auth and ng-token-auth.

I am confused as I currently will not open up my API to any external parties. Thus the only system that I want to have the ability to consume my API, is my own (1 set of secret keys).

Am I right in saying that I will use devise_token_auth to generate my secret keys, and then add it to my environment variables on both the Server and Client sides? Since these values will currently be static (will not be user specific)

HermannHH
  • 1,732
  • 1
  • 27
  • 57
  • Static tokens? Might as well just not bother with protection at all. It'll be the same security level. – Sergio Tulentsev Sep 07 '15 at 14:11
  • In a comment below I ellaborated some more. All requests will be from the public domain (There will currently not be any User sign in etc.). Thus do I need to add any Auth at all? @SergioTulentsev – HermannHH Sep 07 '15 at 14:15

2 Answers2

1

You can use a token based authentication system to protect your backend from unwanted requests, after every authentication (with login/password) your backend will generate a token and will send it to your client app who will store it locally (localstorage). With an angular interceptor you can easily intercept all your client request and inject the token in the header of each request, finally your back must check the existence and the validity of the token in each request.

https://github.com/lynndylanhurley/devise_token_auth seems to be the response of your problem on server side, coupled with (if you don't want to implement it by yourself) https://github.com/lynndylanhurley/ng-token-auth or https://github.com/sahat/satellizer (i prefer this one), you can build a very solid system.

KimiBst
  • 41
  • 4
  • Hi @KimiBst this solution is fine for a more complex system. In this case however, I really just want to get used to integrating 2 platforms. Thus I will not have any User Auth yet. The only integration will be for a contact form that is saved to a database. This contact form is available to anybody that accesses the angular webapp. Looking at your response, makes me think that I need to ask it in a different way...."Do I need to authenticate API requests for API's available to the public domain?" – HermannHH Sep 07 '15 at 14:10
  • 1
    I don't think you "need" to add any authentication at all if you want your API to be public, specially with a static token (doesn't provide any security). – KimiBst Sep 07 '15 at 14:29
1

Definition of authentication is something like "confirming that a user is who he says he is". Since you won't have any users, auth is not applicable here.

One might argue that "user" in your case is the angular client and therefore, external users (other apps/scripts), not knowing the token, will be rejected. However, access token being public knowledge too, it does not add any protection against spam or whatever you were trying to achieve with this mechanism.

So, don't bother with it.

Sergio Tulentsev
  • 226,338
  • 43
  • 373
  • 367