Recently I changed my job. My new company(Piethis.com) is a recently created start-up and I'm the first engineer. My first mission is to design the initial architecture and start its implementation.
We split the app in two parts, backend and client. The backend is a restful API written in Node.js. The client is not sure yet, but most probably will be an Angular.js app. Eventually we'll have mobile applications and probably some other apps (more like the standard rails apps) accessing that API.
We need different permissions for each client of the API. For example, the browser client probably won't have permission to register users, they will follow a different workflow that is not clear yet, but it's just an example.
Our approach to secure the API is signing the requests with some secret word, different for each client app.
All requests will have to send three headers to the API, X-Pie-App
, X-Pie-Time
and X-Pie-Signature
.
The X-Pie-App
is the application identifier, for example browser-app
could be the app ID for the Angular.js client app.
The X-Pie-Time
is the current time in seconds. This is used to expire requests, a signed request is only valid for some minutes.
The X-Pie-Signature
is the signature. To generate the signature the client will have to generate string like <app><time><url><rawBody>
and encrypt it using HMAC-SHA1. The secret for the HMAC is unique for the application.
Benefits of this approach:
I'm happy with this approach, it gives a lot of security to protect some restricted actions. The only problem is the development workflow, sending requests to the API is complicated, I had to create a script that generates http requests (using httpie) with the three headers.
Also I couldn't find any good way to implement this signature process using Angular.js resources. For now we're using this hack but I don't like it.