When presenting my talk to the Sydney Node Ninja’s last week, I was asked a question afterwards on how we implemented our micro-services to only accept requests fronted by our API Manager.
Simply put, we built a middleware for our HAPI instance. Pretty much the same logic can be implemented on Express or similar web frameworks.
The HAPI plugin, HAPI API Secret Key implements the following logic.
- If API secret keys are defined, only allow requests with API keys which match the configuration.
- If no API secret keys are defined, only accept requests from localhost.
- Only routes tagged with “api” will have the above rules applied to them by the middleware.
Knowing that when we push to production, the system is unaccessible unless the API Manager and the micro-service are lined up and synced with the secret keys ensures that our services will be correctly configured by convention.