Custom Code around Api Calls

Ask us anything How do I?
1

Hi, I am new to WeWeb, and trying to see IF or HOW I could do this functionality.

I have a custom REST API, which needs all parameters to an api method to include a JWT token encoded from the parameters passed to the API, so instead of the parameters, the idea being to obfuscate the data being passed to the API, and in some API method calls, the results are encoded into a JWT which must be decoded into the results, again for obsfucation purposes.

I would appreciate some idea on how I could insert code to do this, would it be a custom plugin for my API? What about some kind of wrapper code and defining my API in terms of the JWT parameter?

So for example our API has a method…

POST /api/v1/users/password_reset

Reset the user password - NOTE The Response from this method is encoded using the API secret, and must be decoded

Params

Param name Description
payload[user]required Value: Must be a Hash NOTE: this hash is not passed via HTTP only the payload[jwt] is passed to the method which is encoded from these parameters
payload[user][password]required New password Value:Must be a String
payload[user][username]required Username of the user to reset the password Value: Must be a String
payload[user][forgotten_password_token]optional Value: Must be a String
payload[jwt]required Value: Must be a JWT encoded from the above parameters

Should we make the weweb API call just pass in the jwt paramter, and have some code that recieves the details from the weweb form and encodes it and calls the API method?

Or is there some way to put some code in the API that does the encoding of parameters and decoding of the results, which then can be stored in a collection or variable.

Thanks in advance for any suggestions

2

I would still like to know if this can be done in WeWeb, HOWEVER… I thought of a solution which uses a proxy web server, so I would call the proxy server with the un-obsfucated parameters and it would call the API. It’s not an ideal situation, and could still allow for MITM attacks but if done over HTTPS is less risky of that happening!

3

You could use a library but the issue is that to create a JWT you need a signing token, which should be private. I think you should do this via a backend.

2 Likes
4

Thanks Broberto, yes you are right because WeWeb is client facing, so having a signing token in the client is indeed a security risk.

2 Likes
5

@mark.ellul I use Node-RED as middleware and postgres as my database. I use the JWT plugin in WeWeb and run my own JWT flows in Node-RED to basically do anything one can imagine. There is a JWT node for Node-RED that creates a JWT and you can inject into it whatever you need. I only put the basic things in it as it can be read but anyone but it is signed in Node-RED. So it’s verified and used to authenticate the user before anything else happens. Node-RED is absolutely killer for making custom APIs. Also it’s FOSS. Check it out.

2 Likes
6

Thanks Waz for your answer, I will check it out!