0

I'am running a nodejs/express application as a backend solution for my current project. The application is using passport-jwt to secure some routes with JWT as header Authorization for a route, let's call this route secure-route. Now I'm running a second application which needs to access secure-route without the necessary Authorization header. The necessary Authorization header is generated by a login route after the user has authorized successfully.

The problem is, that I don't want to provide a (fake) jwt Authorization header (which shouldn't expire). The second application/server should access my first application with a more appropriate authorization strategy like basic-auth.

I thought about making secure-route private in another router module so I can access this private route by maybe rerouting.

So how can I make an express route private accessible ? Or is there a solution for authenticating a backend/server without affecting the current authentication strategy ?

EDIT : both backends running on a serverless structure on AWS

sami_analyst
  • 1,751
  • 5
  • 24
  • 43

2 Answers2

0

Assuming this second application you mention is running either on the same server or on another server in the same network, then you can do the following:

  1. Create a new web server on a non-standard port that is not accessible from the general internet (just a few lines of code with Express).
  2. Run that new web server in the same nodejs process that your existing server with the secure-route is running on.
  3. In that new server, create a route for the private access. In that private route, do not implement any access control.
  4. Put the code for the route into a separately callable function.
  5. When that new server route gets hit, call the same function that you use to implement the secure route in the other server.
  6. Verify that there is no access to your second server's port from the internet (firewall settings).

You could also just take your one existing server and route and allow access without the authorization header only when accessed from a specific IP address where your other app is running.

If you can't use anything about the network topology of the server to securely identify your 2nd app when it makes a request, then you have to create a secret credential for it and use that credential (akin to an admin password or admin certificate). Or, switch to an architecture where you can use the network topology to identify the 2nd app.

jfriend00
  • 683,504
  • 96
  • 985
  • 979
  • I should have mentioned that I'm working with a serverless structure, so there will be some conflicts with both of your strategies – sami_analyst Jun 18 '17 at 14:22
  • @sami_analyst - So, why don't you say what complications you think that would provide rather than just saying "some conflicts". And, next time, please don't leave out of the question an important aspect of your architecture. At this point, I'm unsure if it's even worth it to try to help any further because you aren't helping us help you very well. – jfriend00 Jun 18 '17 at 16:02
  • Obviously it wasn't my intention to leave out important aspects of the architecture. I wrote down what I think are the most important keys to the scenario and what should be enough to get a reasonable understanding of the problem. One of the main reasons is, that there is no distinct location of the backend in a serverless architecture (ip), another thing is the gigantic overhead of running another webserver in a serverless architecture relating to the maintenance and dev/testing effort. I need a more robust solution that does not interfere with the main architecture – sami_analyst Jun 18 '17 at 16:16
  • @sami_analyst - If you can't use anything about the network topology of the server to securely identify your 2nd app when it makes a request, then you have to create a secret credential for it and use that credential. Or, switch to an architecture where you can use the network topology to identify the 2nd app. There aren't any other ways to go about it. Not sure what you're expecting us to come up with. – jfriend00 Jun 18 '17 at 16:47
  • @sami_analyst - Did this answer your question? – jfriend00 Jun 23 '17 at 23:33
0

You should make a middleware and use it like this

/Starting Point of the Project/

let CONGIG = require('./config');
let middleware = require('./middleware');

let app = express();

app.use(middleware.testFunction);
require('./route')(app);


'use strict';
let middleware = {
    testFunction : function(req,res,next){
        var condition = ''; /* now here you can write your logic on condition that when should be the condition be true and when it shoudld not be true based on the req.url , if the user is trying to access any public url you can simply allow the true part of the condition to run and if the person is accessing a private part of route then you can check for additional parameters in header and then set the condition true and if not you must send an error msg or a simple message as you are not allowed to access the private parts of the web application.   */


        if(condtion){
            next();
        } else {
            res.send('error');
        }
    }
}

So by designing a middlware you can basically seperate the logic of private and public routes and on what condition a route is public or private in a seperate module that will deal with it , it is little bit difficult to understand but it is better to first filter out public and private route than latter checking . In this way on the very initial hit we can differentiate the private and public routes.

Sagar
  • 475
  • 2
  • 8