Securing CloudCode Web tasks

I am building an API endpoint for a custom integration with a client’s middleware, allowing them to post a payload that can then generate data for end users to work with.

The customer requires an authentication scheme similar to OAuth, e.g. an expiring token system, rather than using static tokens for authentication.

Is there a guide or best practice for implementing this type of endpoint security within CloudCode, or has anyone done something similar?

Hey Jason,

One suggestion would be to look at using JWT’s to manage access to your API endpoints.

I found this guide provides a great walkthrough of how to set up a NodeJS Express application that is secured using JWT’s. Now, the Express routes defined in the guide can be swapped out with CloudCode WebTasks.

Some of the highlights of the guide are the following:

  1. The jsonwebtoken NPM package us used to sign and verify the JWT’s
  2. There are a few endpoints exposed to generate/fetch JWT’s e.g. /user/generateToken. My suggestion would be to secure your token generation endpoint with a secret defined for each client application that intends to use the API’s you’re building, then you secure the other endpoints using the JWT’s. The JWT payload could contain additional permissions and access grants.

With regards to the expiration topic. You’d want to include an exp field within the payload of the JWT that stores the expiration date and then verify the exp value for each request. The client application would need to handle the refreshing of the JWT’s once expired.