The purpose and intent of this project is to provide a standardized template for establishing a secure API that will be used to connect to front-end / mobile applications.
All communication to be done over SSL/TLS.
The current plan is to introduce an assertation service to validate the client app. The API will store the client secret for the OAuth service. After validating the client token the API will return a JWT token to use with the client_token for all future calls.
Client > Server*- Authentication requestServer > Client*- Send validation commandClient > Server*- Execute validation command and send the resultServer > Client- Validate, generate and send client_token and code challenge PKCE-S256Client > OAuth2- Validate user & receive auth_code using app-native OAuth SDKClient > Server- Send client_token, auth_codeServer > Client- Verify client_token. Use client-secret, auth_code and code verifier to generate and store the access_token. Generate, store and send JWT token
SCRAM will be used as an alternative to using OAuth2 for the fallback authentication method on step 5.
* = To be replaced with Approov once app popularity reaches a critical point.
npm run build
npm run build-dev
npm run start
- Add app / client assertion endpoint
- Complete OAuth2 validation logic and storage for JWT generation
- Implement REDIS caching for valid JWT keys
- For better scalability, the assertation client should be provisioned into it's own API / service.
- Look at using typesafe-hapi instead of manually creating types