 Okay, shall we begin? Shall we begin? Yes, please. Okay. Okay, good evening everybody. All good? Yeah. Okay, I want some sound. Good evening. Good evening. Good evening. Ah, that's good. That's good. Okay, I'm going to talk about how to secure Node.js APIs in a proper way. But the first part of my session is talk about tokens. So it is valid for any kind of APIs. And I will be going to implementation with Node.js. So before going there, how many of you have any experience in JavaScript? Cool. Then it's fine. Okay. So this is me. I'm Chathu, by the way. I'm coming from Sri Lanka, especially for this event. I'm a zero ambassador, which is a startup, not a startup, but a company focused on identity as a service. And I have my own startup, and I am the column just to meet up the organizer, and the other organizer is there. So that's me. So before that, just a little bit of trouble. I think you all know what is API. So API is actually any simple terms, method of connecting two kinds of systems, either programming interfaces to interact with two systems, just like this. So that is the basic understanding of the API. So what is the rest API? What is the difference? This keyword came after a few years, publishing from the Ray Fielding's doctoral thesis, and it started to capture the wide audience because of the HTTP protocol. It's run on top of it. And now people use this as for microservices, serverless, and some other keywords also, but everything is rest. It doesn't have a state defined in there. That's the thing that keeps it going on and use HTTP keyword like get and post. So it's kind of a definition of simple terms. It's like a set of functionalities, gives developers to perform requests and receive the responses from the HTTP protocol. So one good example is this is actually a public API. This is actually my github profile from JSON object. So this is open. You can just try it out. So this is public API. So what about you have your own private APIs? So now the security comes on. So you don't, you need to be able to protect your APIs. If somebody put a guest request in here, you can get the data. But for your private, so what are you going to do? So let's go with traditionally first. How is going on? So it started with cookies. So we have cookies in this side and we have modern token base side, which I'm going to discuss. So cookies, how is running on? First, when you authenticated your customer or client, you create a session in your database and you pass the session ID to the request user. So what is happening is you have your session in a database, in a server side, and you send an ID. So then you can think that for each and every user, you need to have a database record. So when you're going to scale, that's going to be a problem. And for other side, it's completely different. You send the authentication details, maybe username and password, and it will create a token, which has a signature with an encrypted from the server side. And server doesn't have any session details or anything stored in the server. So it is scalable. So if you get back into here, you can see it's going on same domain. You can see it is going on abdomain. And for API, you can use a different endpoint for API, and you can use for multi-versions. And it's like cross-domain. You can use cross-domain, but for cookies, I think you know how the pain is when you're going to create cookies for sub-domains and the cross-domain. And when it comes to course, this is vulnerable. And tokens, no worries. So I think we are clear in here. If you have any questions, I can give you about one minute if you want to go forward. Cool. So I think it comes with the token-based authentication. It has a standard also. And people try to get things going on these things. And later, they came up with many standards to implement these tokens. So why it is more important is these days, we have single-page applications. So they are interacting with many APIs. So we need to have a command backend, which caters your mobile devices even. Now we have mobile devices, mobile applications. Apart from that, now the thing is going at NB IoT and all the IoT devices also. Now each and every device needs to be authenticated to give the services that you provide. So that means your APIs need to be supported to authenticate these kind of things coming on. So it is getting hard. So that's the token came on. When you go into the tokens, this is the famous one. It's called JSON Web Tokens. Since this is, as I said, that is running top of HTTP. So JSON Web Tokens also has implementations for many languages. I will talk about it before going to internet use. I will get my browser to this side. You can see, yeah. So as you see, we have .NET implementations from multiple, this is one from Microsoft and this is from from DB. And we also have Python implementations and this goes on. So that means you don't need to worry about starting off with your APIs. Back to presentation. So token is kind of, as you see, this is the token. It's going to be divided from pull stops, from here and here. So what is this? It's has a header. The first part of this encoded string is the header. The second part, in the middle one, is called the payload. That's where we put our things like information like role or username and expiration time of this token and issuer who issued this and the audience. We can put it there. And the signature is the part which we use to validate this token. It is, to verify this token is issued from the server. So if somebody going to break this token and make it change it, but thing is the signature is going to be different. So don't worry. So header has support that saying the signature is encrypted using the algorithm. It is 256 or it supports SHA256 and also RSA. And the header has the token type also, which is the JWT. And the next part is payload. So we use payload to store adjacent data. It's like a key value pair. We can put private claims, which means we can our own data which is relevant to the application. Plus there are reserved claims like issue and expiration time like that. And signature is where we get the encryption of the first part that we call header and the next part. Then the signature comes. So let's see a real one. So this is a recent generated encoder token. And when you decode it, this is the header and this is the payload which I put. It's my name and there's issue time also. And if you see, this is the signature. It's just base for encoded with the header plus base 64 encoded payload and it's going to be encrypted using our secret, which is I use as secret. And it says the signature is now verified. If I change this one, seems my internet is broken. So yes, seems my internet is broken. So sorry for that. So that's the presentation. So what are the advantages of this JWT? It is stateless. This is like rest. So it is stateless. We don't have the token that what is the previous page or what is the next page? It's stateless. You just need to, service doesn't go into track about you, the session and what is the device is going on? Stateless and scalable. Why is it scalable? Because it says contained data in the payload. So you know what is the role and what are the things that you need to have for your application perspective. So you don't need to check again from the database. Because why you know it is verified? That's a signature. So you know that this data is not tampered. So you can work on it and it is decoupled. So you can have a FEI authentication server in separate server and you can use it to authenticate it for multiple resources. If you have a microservice architecture, then you can use this separate server to authenticate every service that you have. So the next thing is not like cookies. Supports course domain. And if you want also not vulnerable with course and if you have any information that need to be encrypted. As I said, this is not encrypted. You can see the JWT decoded version from any browser. It is open things. It is not encrypted. So if you want to put things encrypted, you can use this JavaScript encryption algorithm. You can use to secure that also. Or if you can use your own algorithm and encrypt that data and put it into JSON. So what are the use cases of JWT? As I said, you can use it to secure your backend APIs or secure to use your server applications. Or UI or T devices. So yes, this is the newest use case. You can use to secure your mobile application too. And things need to be remembered if you are going to use JWT. So this is from my experience. JWT is encoded, not encrypted. As I said, it has gibberish but it is encoded, not encrypted. Everybody can decode it and see it. Only thing is they can... and does not mean that they can modify it. They can decode it and see, but they cannot change it and use it against your server because the key that you use to encrypt is in your server and you need to be protected. And don't put sensitive data in there. Like if you are going to put... use a password in the play load, don't put it because as I said, it is not encrypted. So only data that is useful for your application like roll or maybe the authorized services list, like kind of that things you can put into the payload. And this is the JSON replication. If you want to put encrypted data, just search on JSON replication and you can put it in the JSON. And you can... the server only able to encrypt it. So if you want to know about more things, the optional repository on JSON... JWT. So you go there and there are all the libraries that supported from each language. Plus there are some articles to get started. And there is a JWT introduction article also in there. So you can just go on there and to get more information about this. So let's go about how to implement this one in a real server. So this is how it's going to work. So from your browser, you send a cross request with your username and password. Then you server create a JWT encrypted with your... not encrypted. It's put a signature from your secret and that return that to the browser. Then your browser for each request that for secure API endpoints, you will put it with the Bayer token in the header. Then if you check the signature, if it is valid, the server will be returned the information that you requested. So if you want to create a JWT, there's a small library for Node.js called JSON WebDragon. So you require it and you just sign your JSON object with it and the secret is what you put as a secret. And don't put this example, use a secure key. Don't use a secret or password or whatever. Be secure. After that, you need to validate token for next request. So you can use... for Node.js, there's one called Express JWT. You just use it or you can just decode it using the same JSON WebDragon library to verify it. There's a method called verify and you pass the token with a secret and you can get the decoded values. As I previously put it as a name, you can get my name there. So before we going to have a code instruction, there are some tips from me to organize your code. So first one is if you are going with Node.js, you will find many tutorials for easy to start but it is not good in organizing your code. So this is the way I do from my experience after ruining and missing a few projects. So this is what I have interrupted. So I use module architectures. So each of request and the features will be divided into modules. Let's take item. It has a separate folder in modules. It has an item controller in a separate file and it also has an item model which is actually integrating with my MongoDB and Routes, my API Routes. So if you are planning to use Node.js to create REST APIs, from my point of view, this is actually a good way but this doesn't mean that this is the only way. So you can use old architects like MEC maybe going to scale a big application. So this is for currently using for a bit scalable application and apart from that you need to have a config folder where you have all the configuration there. So this is module based approach and divide all the configuration into one file so it is easy to change. Like if you have a token in developer environment you may be able to use it for about one hour expiration time. So you can make that your token will be expired within one hour so you can have more development time but for real time you need to have it about five minutes and use a refreshing token to generate another token. Don't make very longer tokens for customers and since you are using Node.js make sure these models and all the routes get auto-loaded. So then it is easy for you. So this is half way of my configuration file. So as I see I have session secret which is actually put it in the process environment and expiration time also it is from environment or you can set it in a configuration file and I also have my database data and seeding data. So let's go in some coding. So what did I code into here? Start with my dependencies first. I will introduce what the dependencies are using. So since I am talking about how to use best practices in security with Node.js APIs so I am using content filter which is actually used for attacks like sending a course, protecting your guys course and pros and cons request. Sorry. And I use Helm to make sure my application is protected against SQL injection attacks. So that kind of things I am using in here and express JWT is used to decode the JWT token and it has a middle way architecture which you can inject into your APIs to check that APIs need to be authenticated or not. So if I go to my op. So this is how it handles. Authentication has a post request except email and it is checked. It is email in the body or not. It will be just send a 401 request or then you are able to find this email in there after you find it. You can sign a JWT token with the email and you use the decision secret and you set the expiration time. So I am going to give you some demo on this one before moving to other parts. I hope everybody can see it. So I am sending a request. So it creates a token. So what is the request? It has an email and this has a password. So when I send it to my API on point it will create a token and it sends success is true. If I send a wrong one, let's see. It says unauthorized. So let's get a token to work. So I have another API endpoint created securely to demonstrate it called an endpoint called ITER. So I get this token, just copy it and I have the next one. And in here, now you need to send it from the header called authorization and you need to put the bearer plus with the space, the token. So these things easily work in single page applications and mobile also. That means you can change the headers and send it from your AngularJS application or your VueJS application or even Ionic, the supporter. So currently I don't have any items put in me so it gets a blank array. So let's move to code again. So this item route, as you see send this kind of things and it has all the routes set up in here. So if you see my index.js file I use call something called .express.jwt and it has a middleware called .unless. So what I have done to secure the things is I use a white list where you can use without tokens. So I define in here it's get that secret and check the request is valid from has a token and that token is valid and if you have this URL unless these things it's going to check it has a token or not. So I only white listed the root URL and what you are where you use to authenticate and there's a seed one where I use to do the database CD apart from that anything that's coming from the user to this API will be checked against it has a token or not. So we have about 10 minutes and I have some other tips to continue and we have about 5 minutes until the next talk. Oh, sorry, yeah, yeah, it's fine. Do you want to do Q&A outside in the hallway? Yeah, it's fine. So the last part is the word on Q&A now. It's fine. So the code that I showed you is available in this repository. So you can access without any issues. That's all folks. Thank you very much.