Skip to content
/ simple-service-authorizer Public

A simple package that centralize authorization between applications

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

thaua/simple-service-authorizer

BranchesTags

Repository files navigation

simple-service-authorizer

This package is a encapsulated tool that uses JWT to make simple validation in communication between internal services/applications based on a shared private secret key between them and service names.

This is a simple tool, so it is not a complete security for service/applications communication. Ensure you have a complete security communication approach between you services, such as:

  • Making services/applications communication always using SSL/TLS (example: HTTPS)
  • Limiting internal services/applications to be communicated always over internal network
  • Setting expiration time for generated tokens to avoid replay attacks
  • Keeping secret key as hide as possible
  • Rotating/changing secret key (and updating it in used services/applications) frequently

Usage

The tool is based in two use cases:

  • Generating token for requester service.
  • Validating token on requested service.

Generating token from requester service

import { SimpleServiceTokenGenerator } from "simple-service-authorizer";

const SERVICE_NAME = 'service-a';
const SECRET_SST_KEY = process.env.SECRET_SST; // in this example we are getting from env var

const simpleServiceTokenGenerator = new SimpleServiceTokenGenerator({
    secretWord: SECRET_SST_KEY,
    serviceName: SERVICE_NAME,
});

const token = simpleServiceTokenGenerator.generate(20); // 20 is the token expiration time in seconds, default is 30 (if not defined)

// now we can request other service with the token. In this example we will use HTTP

const http = require('http');

const options = {
    hostname: 'internal-service-b.com',
    path: '/get-resources',
    method: 'GET',
    headers: {
        'sst-token': `${token}`,
        'sst-service-name': '${SERVICE_NAME}',
    },
};

response = await http.request(options);

Validating token on requested service.

import { SimpleServiceTokenValidator } from "simple-service-authorizer";

const SECRET_SST_KEY = process.env.SECRET_SST; // in this example we are getting from env var

const simpleServiceTokenValidator = new SimpleServiceTokenValidator({
    secretWord: SECRET_SST_KEY,
    // services' names that are allowed to request this service, with undefinition on this, all service-names will be accept
    allowedServiceNames: ['service-a'] 
});

// now we can validate the requests' tokens received. In this example we are creating a middleware for Node.js http requests

const serviceRequestValidationMiddleware = (req, res, next) => {
  const requestorServiceName  = req.headers['sst-service-name'];
  const requestorToken        = req.headers['sst-token'];

  // validation method usage
  const isServiceTokenValid = simpleServiceTokenValidator.validate(
    requestorServiceName,
    requestorToken,
  );

  if (!isServiceTokenValid) {
    res.writeHead(403, { 'Content-Type': 'text/plain' });
    res.end('Service request not authorized!');
  } else {
    console.log('Middleware: Request accepted!');
    next();
  }
};

Development

Development instructions

License

License: MIT

Stay in touch

For questions or inquiries, please contact Thauã Silveira at [email protected].

About

A simple package that centralize authorization between applications

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages