Forem: honest will The latest articles on Forem by honest will (@honest_will). https://forem.com/honest_will https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2354850%2F4e3771f2-35e7-45da-bfd5-814d8a9926ca.png Forem: honest will https://forem.com/honest_will en How to quickly add API Key validation to a Node Express API honest will Tue, 05 Nov 2024 16:21:23 +0000 https://forem.com/honest_will/how-to-quickly-add-api-key-validation-to-a-node-express-api-gkn https://forem.com/honest_will/how-to-quickly-add-api-key-validation-to-a-node-express-api-gkn <p>In this example, we’ll create a simple middleware for Express using the excellent AuthAPI's key manager. The middleware will check every incoming request to ensure it has a valid API key.</p> <p>First, head over to <a href="https://theauthapi.com/" rel="noopener noreferrer">theauthapi</a> to create your free account. </p> <blockquote> <p>A short message from the <strong>BBC</strong> - "Other key managers are available".</p> </blockquote> <p>In the AuthAPI dashboard, create a new project and an access token. Copy and store the project ID and access token somewhere secure and safe (don't commit to git!). </p> <p>Let's generate a test API key using a CURL command. Copy this command and paste it into your favourite Terminal.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--location</span> <span class="s1">'https://api.theauthapi.com/api-keys/'</span> <span class="nt">--header</span> <span class="s1">'x-api-key: [YOUR ACCCESS TOKEN]'</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/json'</span> <span class="nt">--data-raw</span> <span class="s1">'{ "name": "Name your key!", "projectId": "[YOUR PROJECT ID]" }'</span> </code></pre> </div> <p>Now you can just switch over to your favourite code editor.</p> <p>If you have Node installed and some experience with Express, you can just run this command in a new project folder. If you need a good starter on Node+Express, watch this thorough video from <a href="https://youtu.be/Oe421EPjeBE?si=dTSn704wdHBUEEnd&amp;t=17282" rel="noopener noreferrer">free code camp</a>.<br> </p> <p><code>npm i theauthapi express --save</code><br> </p> <p>Now, create your server's app file; let's call it <code>index.js</code> for this example.</p> <p>The following code checks the request for the header <code>x-api-key</code>, then validates it with theauthapi service. We're using <a href="https://expressjs.com/en/guide/using-middleware.html" rel="noopener noreferrer">Express's handy middleware override method</a> <code>app.use</code>. You can explicitly name your override if you are using more than one in your app.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">TheAuthAPI</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">theauthapi</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">theAuthAPI</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">TheAuthAPI</span><span class="p">.</span><span class="k">default</span><span class="p">(</span><span class="dl">"</span><span class="s2">${accessKey}</span><span class="dl">"</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">x-api-key</span><span class="dl">"</span><span class="p">])</span> <span class="p">{</span> <span class="nx">theAuthAPI</span><span class="p">.</span><span class="nx">apiKeys</span> <span class="p">.</span><span class="nf">authenticateKey</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">x-api-key</span><span class="dl">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">then</span><span class="p">((</span><span class="nx">key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">key</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Invalid API key</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">key</span> <span class="o">=</span> <span class="nx">key</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No API key, be sure to set it as the 'x-api-key' header</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">key</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> </code></pre> </div> <p>To start your server, run the command:<br> </p> <p><code>node index.js</code><br> </p> <p>The server will be up and running unless you get any error messages.</p> <p>Now, you're ready to test your first validated request.</p> <h4> Testing some invalid requests </h4> <p>Let's test the app without a valid key to check the results:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--location</span> <span class="s1">'localhost:3200'</span> </code></pre> </div> <p>Let's try to send a request with an invalid key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--location</span> <span class="s1">'localhost:3200'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'x-api-key:madeupkeynametest'</span> </code></pre> </div> <h4> Finally, let's validate a real key! </h4> <p>Copy the API key generated in the first example and replace it in the command below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--location</span> <span class="s1">'localhost:3200'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'x-api-key:[COPIED API KEY]'</span> </code></pre> </div> <p>How did you get on? Feel free to drop me a comment if you have a question.</p> <h5> Side notes </h5> <ul> <li>I prefer to use Postman to run requests for my localhost. But there are plenty of alternatives in the market, e.g. Insomnia, Hoppscotch, HTTPie, and Paw. </li> <li>This is a straightforward example of how to add API key validation to your request. Go deeper; you can add rate limiting and expiries to keys very quickly. Check out what the AuthAPI can do.</li> </ul> api express middleware apikeys