In this lesson, you apply a few security strategies to your API routes. Without a browser to store cookies, some external applications may find it difficult to use your API without a way to verify the user’s identity. First, you implement some basic security by providing an API token that must be appended to each request. Then you improve that strategy by generating a unique API key for each user upon account creation. Last, you explore JSON Web Tokens (JWT), a system of hashing user data and exchanging tokens to authenticate user accounts without a browser.
This lesson covers
- Adding security-token-verification middleware
- Creating a pre("save") hook to generate API keys
- Implementing JWT header authentication
Consider this
You built a robust API for the recipe application. Your endpoints include routes to create new users and update existing users. Because an API endpoint can be accessed from any device that can make an HTTP request, there’s no telling who might make a request to your API without first creating an account and storing session data on the server.
Having some form of security on your API routes ensures that your data doesn’t fall into the wrong hands.
28.1. Implementing simple security