Security

Securing REST APIs created in API Express.

A REST API created in an API Express can be invoked only if you know its API key. In certain cases, the API key security is not enough. There are certain cases where you will need to add extra security, such as user login before a particular API can be invoked. Today API Express supports storing user information in the following data sources:

  • Appery.io Database.
  • Social network.

User information will be stored in one of the data sources listed above, and a login will be required before a service can be invoked.

Turning on Security

To turn on security for an API Express project:

  1. Go to Settings.
  2. Check the Secure REST API check box to allow only authenticated users to call REST APIs in this project.
  3. Select the security provider from the list or use your custom security service. If you don't have any security providers listed, the sections below will explain the options available and how to selected and sign up with a provider.

Appery.io Database

You can use the Appery.io Database for security. When selecting this option, user login information will be stored in the built-in Users collection.

  1. To enable user authentication with the Appery.io Database, go to Resources > Security > Add new security provider.
  2. Select Appery.io Database Security for Provider type.
  3. Then select a database that you have in your account.
  4. Click Save to save the new security provider.
  5. Now to back to the API Express project Settings tab, and select the provider you just created. If you don't see the provider on the list, please refresh the page.

When this security option is configured and enabled, only users from the Users collection will be able to invoke APIs from this project. In other words, a session token will be required before an API can be invoked. The session token is added with the X-Appery-Session-Token header parameter.

Authorization Flow

The following shows the authorization flow when using the Appery.io Database:

  1. A user invokes the login method of the API Express and passes his/her username and password.
  2. The API Express invokes the login method of the Appery.io backend (database) and passes the user’s username/password.
  3. If the Appery.io backend doesn’t return the session token, API Express returns the information about the invalid credentials and the user gets the 403 error.
  4. If the Appery.io backend returns the session token, the API Express generates the API Express session token, then saves both: the API Express session token and the backend session token, and returns the API Express session token to the user.
  5. The user invokes a service of the API Express (for example, find operation) and provides the session token.
  6. If the API Express doesn’t find the session token in the session token storage, API Express returns the information about the invalid session token and the user gets the 403 error.
  7. If the API Express finds the session token in the session token storage, the API Express invokes a backend service (from user database or Appery.io database) with the backend session token, and returns a 200 response to the user.

Social Network

You can also use a social network (Twitter, Facebook, Google) to perform authentication.

🚧

API Express cloud version

Social network authentication is supported in API Express cloud version only.

The following shows the authorization flow when using a social network:

  1. A user invokes the JavaScript login method of a social network (for example, loginFB for Facebook) and gets the backend session token.
  2. The user invokes the set the SessionToken method of Client SDK of API Express (required when using when using the Client SDK).
  3. The user invokes a service of the API Express (for example, find operation), and provides the session token.
  4. If the API Express doesn’t find the session token in the session token storage, API Express starts searching for the session token in the Appery.io backend.
  5. If the token isn’t found, API Express returns information about the invalid session token and the user gets the 403 error.
  6. If the token is found, API Express saves it in the session token storage and invokes backend service with the backend session token to return the 200 response to the user.