Skip to content

gary-archer/oauth.apisample.serverless

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits

.vscode

.vscode

 
 

data

data

 
 

doc

doc

 
 

environments

environments

 
 

src

src

 
 

test

test

 
 

.codacy.yaml

.codacy.yaml

 
 

.eslintrc

.eslintrc

 
 

.gitignore

.gitignore

 
 

.mocharc.json

.mocharc.json

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

api.config.json

api.config.json

 
 

deploy.sh

deploy.sh

 
 

package.json

package.json

 
 

serverless.yml

serverless.yml

 
 

start.sh

start.sh

 
 

tsconfig.json

tsconfig.json

 
 

Repository files navigation

Final Serverless API

Codacy Badge

Known Vulnerabilities

Overview

The Serverless OAuth secured Node.js API code sample:

  • The API has a fictional business area of investments, but simply returns hard coded data
  • The API's lambda functions validate a JWT access token on every request, in a zero trust manner
  • The API takes finer control over OAuth and claims to enable the best security with good manageability
  • The API uses JSON request logging and Elasticsearch log aggregation, for measurability

API serves UI Clients

The AWS deployed API runs as part of an OAuth end-to-end setup, to serve my blog's UI code samples.
This enables UI code examples to point to API endpoints that run in the AWS cloud:

Prerequisites

  • Ensure that Node.js 20 or later is installed
  • Integration tests run Wiremock in Docker, so ensure that Docker is installed

Local Development Quick Start

Run this command to build code and then run mocha tests that invoke all lambdas:

./start.sh

The API's clients are UIs, which get user level access tokens by running an OpenID Connect code flow.
For productive test driven development, the API instead mocks the Authorization Server.
This enables the API component to be developed and tested in isolation:

Local Lambda Tests

This works well enough to meet my low cost deployment goals, though these technical limitations exist:

  • The lambdas cannot be run as real HTTP endpoints locally, and be called concurrently from UIs
  • The lambdas cannot be load tested locally, due to the slow lambda startup times
  • The lambdas cannot use in-memory caching of token signing public keys or extra claims

Further Information

Programming Technologies

  • Node.js and TypeScript are used to implement AWS Lambda Functions

Infrastructure

  • The jose library is used to manage in memory validation of JWTs
  • AWS Route 53 is used for custom hosting domains
  • AWS Certificate Manager is used to manage and auto renew the API's SSL certificate
  • AWS Cognito is used as the default Authorization Server
  • DynamoDB is used to cache JWKS keys and domain specific claims
  • The AWS API Gateway is used as the HTTPS internet entry point
  • CloudWatch is used for immediate storage of API logs

About

Final OAuth secured Serverless API Code Sample

Resources

Readme

License

MIT license
Activity

Stars

11 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages