0

I have just developed a PERN stack SPA where the app and the server are both hosted on Heroku. The SPA uses Azure authentication (MSAL). Everything works well and user on authentication is redirected to our SPA hosted on Heroku.

Now the API which is built is still not secure. Anyone having the endpoints can access and manipulate data in our database. Can anyone guide with the current structure how can I authorize my server API's hosted on heroku with Azure AD credentials.

Example : https://my-first-app.herokuapp.com/getusers

The example API above can by used by anyone to get results, how can I prevent this and only allow users logged in to my SPA to use the API's only.

halfer
  • 19,824
  • 17
  • 99
  • 186
Joy
  • 105
  • 1
  • 2
  • 10

1 Answers1

0

To protect your node API you can use:

For the SPA keep using MSAL to get access tokens for your API/resource.

halfer
  • 19,824
  • 17
  • 99
  • 186
AlfredoRevilla-MSFT
  • 3,171
  • 1
  • 12
  • 18
  • Thank you. I have secured my API using passport-azure-ad. Now when I hit the endpoint I get 401 unauthorized which is good. That means my API's are secured. However i get unauthorized even from my SPA. I have registered the API and exposed it to my SPA. What could be the issue? I am getting the access token from SPA and then call my API fetch. – Joy May 13 '22 at 10:32
  • Can you share the relevant authN/authZ code for both applications? – AlfredoRevilla-MSFT May 13 '22 at 19:13
  • I was able to solve it and get it working from my localhost. When i hosted the code on prod i get the CORS error. Can you please let me know how to solve this? Do i need to add a header Access-Control-Allow-Origin for the code to work in prod? Or do i need to remove [const cors =require("cors"); app.use(cors());] these two lines from my API code – Joy May 16 '22 at 13:22