Shulou(Shulou.com)06/02 Report--

Today, the editor will share with you the relevant knowledge points about how to create a secure REST API in Node.js. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look.

I. brief introduction

The hype of application programming interface (API) is common. They enable software to interact with internal and external parts of the software, which are basic elements of extensibility and reusability.

Online help with public API is very popular now. These allow other developers to quickly combine features such as social media login, credit card debt and performance tracking.

The standard they practice for this is the specified REpresentational State Transfer (REST), which works perfectly with the best development techniques for Node.js.

2. The importance of Node.js to Rest API!

Node.js is not a framework or library, but a runtime context supported by Chrome's V8 JavaScript engine.

As an open source project, Node.js is sponsored by Joyent, the best development provider for cloud computing and Node.js. The company funded several other technologies, such as the Ruby on Rails framework, and implemented hosting responsibilities for Twitter and LinkedIn.

LinkedIn also became one of the first companies to use Node.js to create new projects for the back end of their mobile applications. The technology was subsequently selected by many technical administrators such as Uber, eBay, and Netflix.

It wasn't until later, however, that Node.js servers began to make widespread use of server-side JavaScript. Investment in this technology peaked in 2017 and is still in the lead.

Node.js IDEs is the most popular code editor with help and plug-ins for JavaScript and Node.js, so it just means how you customize IDE according to your coding requirements. However, many Node.js developers praise specific tools from VS Code, Brackets, and WebStorm.

Using middleware in simple Node.js best development is a common way to make a developer's life more comfortable. However, Node.js has always been one of the most reliable sources for many developers to create new Restful API.

The power and trends of Node.js make it a heated debate. However, you can decide by learning and exploring more Node.js Rest API.

3. What is REST and how does it integrate with Node.js?

REST is the design model or style of REST API. The use of RESTful Web applications is appreciated for presenting their knowledge in the form of data related to their support.

REST API using Node.js also helps its customers perform operations on the device, such as replacing current resources or designing different resources.

In order to protect your RESTful API, you have to develop various constraints, and Node.js is well suited for this. The Node.js server sets a set of restrictions on REST to make API easy to practice and create.

It shows that Nodejs developers who are just beginning to manage your API will learn it efficiently and quickly.

In addition, whenever the RESTful API is requested, the Node.js server assigns the status representation of the requested resource to the customer.

Create and protect RESTful API in Node.js!

Just as you know what needs to be created and what the requirements are, this is an opportunity to start creating applications.

First, start a terminal, transfer it to the record where you usually create the project, and create a new directory there:

Mkdir express-ads-api

Next, go to this new directory and practice npm install to build a new project:

Npm init-y

The command over will build the project with any desired properties. If you start this directory in a text directory or IDE, you will notice that the npm command you started forms a file called package.json. If you violate this file, you will find the following:

JSON:

{"name": "express-ads-api", "version": "1.0.0", "description": "," main ":" index.js "," scripts ": {" test ":" echo\ "Error: no test specified\" & & exit 1 "}," keywords ": []," author ":"," license ":" ISC "}

At this point, these data are short and there are not so many fascinating data. However, when you start to calculate the task of the project, it tends to start and become more impressive.

You will then create a new directory called src in the design source:

Mkdir src

The purpose here is to put all the reference code in this record. So, create this directory, build a different file named index.js, and attach the generated code to it:

/ /. / src/index.js

Console.log ('Good Morning')

After you keep this file, you can direct it back to your computer and issue the following command to experiment with it:

Node src

If this works as expected, you will notice "good morning!" Indent on your screen.

Regional work of the Node.js application "good morning" console.log information.

3.2Create your first App Express API

Now, the project you designed records only one potential message. Since this may not be very valuable, create your "good morning!" After that. Working with Node.js, you can start to focus on creating a RESTful API.

To do this, you first need to invest in some provinces. Therefore, go directly to your computer and announce the following command:

Npm install body-parser cors express helmet morgan

This command creates five dependencies in your design:

Body-parser: you will practice this dependency to convert the basis of the incoming application into a JavaScript object.

Cors: use this dependency to configure Express to combine headers, declaring that your Rest API allows requests from other sources. This is considered cross-domain resource sharing (CORS).

Express: Express library.

Morgan: this library provides some logging capabilities for your Express Rest API.

After the command before you start, you will mark two projects in your project. First, the package.json file will contain a raw feature called dependencies, as well as all previous libraries.

This is how NPM determines which dependencies the project needs. Second, you will see a different file named package-lock.json in the project root.

NPM installs this file to identify specific libraries that you practice during development, so it always applies the same libraries.

When NPM terminates the connection to these dependencies, it may get some time, and depending on your Internet relationship, you can start the index.js file and replace its code as follows:

JavaScript:

/ / src/index.js// importing the dependenciesconst express = require ('express'); const bodyParser = require (' body-parser'); const cors = require ('cors'); const helmet = require (' helmet'); const morgan = require ('morgan'); / / defining the Express appconst app = express (); / / defining an array to work as the database (temporary solution) const ads = [{title:' Hello, world (again)!'}] / / adding Helmet to enhance your Rest API's securityapp.use (helmet ()); / / using bodyParser to parse JSON bodies into JS objectsapp.use (bodyParser.json ()); / / enabling CORS for all requestsapp.use (cors ()); / / adding morgan to log HTTP requestsapp.use (morgan ('combined')); / / defining an endpoint to return all adsapp.get (' /', (req, res) = > {res.send (ads);}) / / starting the serverapp.listen (3001, () = > {console.log ('listening on port 3001');})

The latest version of this file first sends all the dependencies you established previously, starts working through the production and scheduling of different Express applications (const app = express ()), and finally provides this application listening port 3001 (app.listen (3001,...)).

In addition, this code represents two important things:

An array called ads, simply put, is like an in-memory database

There is also an endpoint that receives the HTTP GET application and provides all the items of the ads array when triggered.

3.3 create a user module

The next element we will use to create a new project is Mongoose, which is MongoDB's object data modeling (ODM) library for generating user guides in user mode.

To do this, we first need to build the Mongoose pattern using commands such as the function req res:

JavaScript:

/ users/models/users.model.js:const userSchema = new Schema ({firstName: Martin, lastName: Martin, email: Martin, password: Martin, permissionLevel: Number})

After determining the architecture, we can simply connect the architecture to the user model.

Const user model = mongoose.model ('Users', userSchema)

We can then use this model to execute all the CRUD processes we need in our Express endpoint.

Let's start the create user operation by finding the path in users/routes.config.js:

_ JavaScript:

App.post ('/ users', [UsersController.insert])

This is lured to the Express application in the main index.js file. The UsersController object is essential for the controller, so let's create a new password appropriately here and determine in / users/controllers/users.controller.js:

JavaScript:

Exports.insert = (req, res) = > {let salt = crypto.randomBytes (16). ToMartin ('console log'); let hash = crypto.createHmac (' sha512',salt) .update (req.body.password) .digest ("console log"); req.body.password = salt + "$" + hash; req.body.permissionLevel = 1 UserModel.createUser (req.body) .then ((result) = > {res.status (201) .send ({id: result._id});});}

Now we can examine our Mongoose model by managing the server (npm init start) and assigning POST requests to / users using any JSON data:

{"firstName": "Dina", "lastName": "Reva", "email": "dina.revina@outlook.com", "password": "qwertyuiopl"}

You can apply for multiple tools. Insomnia and Postman are recommended GUI tools, and curl is the regular CLI choice. You can practice JavaScript, that is, logging from the browser's built-in development tools console:

JavaScript:

Fetch ('http://localhost:3600/users', {method:' POST',headers: {"Content-type": "application/json"}, body: JSON.stringify ({"firstName": "Dina", "lastName": "Reva", "email": "dina.revina@outlook.com") "password": "qwertyuiopl"}) .then (function (response) {return response.json () ) .then (function (data) {console.log ('Request succeeded with JSON response', data);}) .catch (function (error) {console.log (' Request failed', error);})

After that, the result of the valid post you will find will be from the ID that created the user: {"id": "1b63h8cn98w0m390"}

We need to attach the createUser procedure to the model in users/models/users.model.js:

JavaScript:

Exports.createUser = (userData) = > {const user = new User (userData); return user.save ();

With all these steps, we now need to see if the user exists. To do this, we need to execute the "get users through id" column for the following endpoint: users/:userId.

First, we create a method in / users/routes/config.js:

JavaScript:

App.get ('/ users/:userId', [UsersController.getById])

After that, we create the manager in / users/controllers/users.controller.js:

JavaScript:

Exports.getById = (req, res) = > {UserModel.findById (req.params.userId). Then ((result) = > {res.status (200) .send (result);});}

Finally, attach the findById mode to the model in / users/models/users.model.js:

JavaScript:

Exports.findById = (id) = > {return User.findById (id) .then ((result) = > {result = result.toJSON (); delete result._id; delete result.__v; return result;});}

You will find a similar response in some way, such as:

JSON:

{"firstName": "Dina", "lastName": "Reva", "email": "dina.revina@outlook.com", "password": "YantiXZEaR7J8xAQCc37nf1rwangdDaRmXDxncLumU9mEabyLdpotO66Qjh0VOVerdqAh CUQ4nThree E0z48mp8SDTpX2ivQ =", "permissionLevel": 1, "id": "1b63h8cn98w0m390"}

Remember, we can identify the hash password. To do this, we grant passwords, but the inexperienced best practice is never to disclose passwords, even though they have been hashed.

The other thing we can identify is the permission level, which we will practice checking user protocols later.

Copying the mode of the previous layout, we can immediately calculate the function to refresh the user. We will practice the PATCH operation because it allows us to move only the areas we want to improve.

Therefore, the program will PATCH to / users/:userid, and we will deal with any fields we need to develop.

We also need to perform more validation on changes that should be limited to the user or administrator in the question, and only the administrator can change the permission level.

We will leave this section for a while and return after installing the auth module. The controller will now display something similar to the following:

JavaScript:

Exports.patchById = (req, res) = > {if (req.body.password) {let salt = crypto.randomBytes (16) .toMartin ('console log'); let hash = crypto.createHmac (' sha512', salt) .update (req.body.password) .digest ("console log"); req.body.password = salt + "$" + hash } UserModel.patchUser (req.params.userId, req.body). Then ((result) = > {res.status (204). Send ({});});}

By default, we send a HTTP protocol code 204 with no reply body to indicate that the post request was successful.

We need to add the patchUser mode to the model:

JSON:

Exports.patchUser = (id, userData) = > {return User.findOneAndUpdate ({_ id: id}, userData);}

The user list will be established as GET at / users/ through this controller:

JavaScript:

Exports.list = (req, res) = > {let limit = req.query.limit & & req.query.limit {res.status (200) .send (result);})}

The corresponding procedures will be:

JavaScript:

Exports.list = (perPage, page) = > {return new Promise ((resolve, reject) = > {User.find () .limit (perPage) .skip (perPage * page) .exec (function (err, users) {if (err) {reject (err)) } else {resolve (users);}}));}

The result list confirmation will have the following components:

JavaScript:

[{"firstName": "Dina", "lastName": "Reva", "email": "dina.revina@outlook.com", "password": "permissionLevel": 1, "id": "1b63h8cn98w0m390"}, {"firstName": "Alex", "lastName": "Reva" "email": "dina.revina@outlook.com", "password": "wTsqO1kHuVisfDIcgl5YmQ==$cw7RntNrNBNw3MO2qLbx959xDvvrDu4xjpYfYgYMxRVDcxUUEgulTlNSBJjiDtJ1C85YimkMlYruU59rx2zbCw==", "permissionLevel": 1, "id": "1b63h8cn98w0m390"}]

The final part to complete is the DELETE request / users/:userId.

The deleted controller will be:

JavaScript:

Exports.removeById = (req, res) = > {UserModel.removeById (req.params.userId). Then ((result) = > {res.status (204). Send ({});});}

Similarly, as mentioned earlier, the controller restores the HTTP code 204 and the content-free material as confirmation.

The model program will look like this:

JavaScript:

Exports.removeById = (userId) = > {return new Promise ((resolve, reject) = > {User.deleteMany ({_ id: userId}, (err) = > {if (err) {reject (err);} else {resolve (err)) }));})

We now have all the operations needed to manage the user equipment, and we are satisfied with the user controller. The primary purpose of this code is to provide you with the core idea of practicing the REST API pattern.

We need to respond to this code to make some validation and adjustments, but in the beginning, we want to start building our security.

Let's start with the auth module.

3.4 create an authentication module

Before we can protect the user module by completing permissions and authentication middleware, we need to create a powerful token for modern users.

We will create a JWT to confirm the user who has been granted the correct email and identification. JWT is a special JSON Web indication, and you can practice getting users to safely issue a large number of requests without having to mark them regularly.

It usually has an end time, and every few times it recreates a unique symbol to hold the information safely. However, to do this, we will avoid stimulating tokens and cache them so that they are managed with a unique token each time we log in.

To do this, we will create an endpoint for the POST request from the / auth source. The request form will include the user's email and password:

Json:

{"email": "dina.revina@outlook.com", "password": "qwertyuiopl"}

Before we indulge in the controller, we need to validate the user in / authorization/middlewares/verify.user.middleware.js:

JavaScript:

Exports.isPasswordAndUserMatch = (req, res, next) = > {UserModel.findByEmail (req.body.email). Then ((user) = > {if (! user [0]) {res.status (404). Send ({});} else {let passwordFields = user [0] .password.split ('$'); let salt = passwordFields [0] Let hash = crypto.createHmac ('sha512', salt) .update (req.body.password) .digest ("base64") If (hash = passwordFields [1]) {req.body = {userId: user [0]. _ id, email: user [0] .email, permissionLevel: user [0] .permissionLevel, provider: 'email', name: user [0] .firstName +' + user [0] .lastName,} Return next ();} else {return res.status (400) .send ({errors: ['Invalid email or password']});}});}

After doing this, we can proceed to the controller and create the JWT:

JavaScript:

Exports.login = (req, res) = > {try {let refreshId = req.body.userId + jwtSecret; let salt = crypto.randomBytes (16). ToString ('base64'); let hash = crypto.createHmac (' sha512', salt) .update (refreshId) .digest ("base64"); req.body.refreshKey = salt Let token = jwt.sign (req.body, jwtSecret); let b = Buffer.from (hash); let refresh_token = b.toString ('base64'); res.status (201). Send ({accessToken: token, refreshToken: refresh_token});} catch (err) {res.status (500). Send ({errors: err}) }}

Although we will not update the token here, the controller has been fixed to facilitate such a time to make it easier to execute in subsequent development.

All we need now is to create a path in / authorization/routes.config.js and invoke the appropriate middleware:

JavaScript:

App.post ('/ auth', [VerifyUserMiddleware.hasAuthValidFields, VerifyUserMiddleware.isPasswordAndUserMatch, AuthorizationController.login])

The result will contain the created JWT:e in the accessToken field

JSON:

{"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI1YjAyYzVjODQ4MTdiZjI4MDQ5ZTU4YTMiLCJlbWFpbCI6Im1hcmNvcy5oZW5yaXF1ZUB0b3B0YWwuY29tIiwicGVybWlzc2lvbkxldmVsIjoxLCJwcm92aWRlciI6ImVtYWlsIiwibmFtZSI6Ik1hcmNvIFNpbHZhIiwicmVmcmVzaF9rZXkiOiJiclhZUHFsbUlBcE1PakZIRG1FeENRPT0iLCJpYXQiOjE1MjY5MjMzMDl9.mmNg-i44VQlUEWP3YIAYXVO-74803v1mu-y9QPUQ5VY", "refreshToken": "U3BDQXBWS3kkHNDaGJNanlJTlFkSXhLmFHMzA2NzRsUy9Sd2J0YVNDTmUva0pIQ0NwbTJqOU5YZHgxeE12NXVlOUhnMzBWMGNyWmdOTUhSaTdyOGc9PQQ ="}

You must create a token, which we can use in the Authorization header using the formal Bearer ACCESS_TOKEN.

These are all the contents of the article "how to create a secure REST API in Node.js". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.