simple-service-authorizer
This package is a encapsulated tool that uses JWT to make simple validation in communication between internal services/applications based on a shared private secret key between them and service names.
This is a simple tool, so it is not a complete security for service/applications communication. Ensure you have a complete security communication approach between you services, such as:
- Making services/applications communication always using SSL/TLS (example: HTTPS)
- Limiting internal services/applications to be communicated always over internal network
- Setting expiration time for generated tokens to avoid replay attacks
- Keeping secret key as hide as possible
- Rotating/changing secret key (and updating it in used services/applications) frequently
Usage
The tool is based in two use cases:
- Generating token for requester service.
- Validating token on requested service.
Generating token from requester service
import { SimpleServiceTokenGenerator } from "simple-service-authorizer";
const SERVICE_NAME = 'service-a';
const SECRET_SST_KEY = process.env.SECRET_SST; // in this example we are getting from env var
const simpleServiceTokenGenerator = new SimpleServiceTokenGenerator({
secretWord: SECRET_SST_KEY,
serviceName: SERVICE_NAME,
});
const token = simpleServiceTokenGenerator.generate(20); // 20 is the token expiration time in seconds, default is 30 (if not defined)
// now we can request other service with the token. In this example we will use HTTP
const http = require('http');
const options = {
hostname: 'internal-service-b.com',
path: '/get-resources',
method: 'GET',
headers: {
'sst-token': `${token}`,
'sst-service-name': '${SERVICE_NAME}',
},
};
response = await http.request(options);Validating token on requested service.
import { SimpleServiceTokenValidator } from "simple-service-authorizer";
const SECRET_SST_KEY = process.env.SECRET_SST; // in this example we are getting from env var
const simpleServiceTokenValidator = new SimpleServiceTokenValidator({
secretWord: SECRET_SST_KEY,
// services' names that are allowed to request this service, with undefinition on this, all service-names will be accept
allowedServiceNames: ['service-a']
});
// now we can validate the requests' tokens received. In this example we are creating a middleware for Node.js http requests
const serviceRequestValidationMiddleware = (req, res, next) => {
const requestorServiceName = req.headers['sst-service-name'];
const requestorToken = req.headers['sst-token'];
// validation method usage
const isServiceTokenValid = simpleServiceTokenValidator.validate(
requestorServiceName,
requestorToken,
);
if (!isServiceTokenValid) {
res.writeHead(403, { 'Content-Type': 'text/plain' });
res.end('Service request not authorized!');
} else {
console.log('Middleware: Request accepted!');
next();
}
};Development
License
Stay in touch
For questions or inquiries, please contact Thauã Silveira at thaua@outlook.com.