Understanding the Security Framework
Last updated
Last updated
When creating new API endpoints in the app/api
folder, use the auth middleware to secure the endpoint. This ensures that only authenticated and authorized users can access the protected resources. By applying the auth middleware consistently across your API endpoints, you maintain a secure and reliable API system.
This documentation provides an overview of the API endpoint for the Todo Demo Example, which showcases authorization and security using the auth middleware in the API.
/api/todo-demo
The /api/todo-demo
endpoint allows authenticated users to create a new todo item. It utilizes the auth middleware to authenticate and authorize the user based on the provided OAuth token.
Authorization
: Bearer token obtained from the authentication process.
The request body should be in JSON format and include the following properties:
title
(string): The title of the todo item.
description
(string): The description of the todo item.
status
(string): The status of the todo item.
Success: If the todo item is successfully created, the API will respond with a 200 OK
status code and the created todo item in the response body.
Unauthorized: If the Authorization
header is missing or the provided token is invalid, the API will respond with a 401 Unauthorized
status code and an error message in the response body.
API Call Limit Exceeded: If the user has reached the maximum number of free API calls, the API will respond with a 429 Too Many Requests
status code and an error message in the response body.
Server Error: If there is an error creating the todo item, the API will respond with a 500 Internal Server Error
status code and an error message in the response body.
The auth middleware is responsible for authenticating and authorizing the user based on the provided OAuth token. It performs the following steps:
Checks if the request is a CORS preflight request and handles it accordingly.
Retrieves the Authorization
header from the request.
Verifies the presence of the Authorization
header. If missing, returns a 401 Unauthorized
response.
Extracts the OAuth token from the Authorization
header.
Sends a request to the user info endpoint (/
api/oauth2/userinfo
) with the OAuth token to retrieve user information.
If the user info response is not successful, returns a 401 Unauthorized
response.
Parses the user info response and returns the user information.
If there is an error fetching the user info, returns a 500 Internal Server Error
response.
The auth middleware ensures that only authenticated and authorized users can access the protected API endpoints.
The API implements usage limits to control the number of free API calls a user can make. The usage limits are defined in the API_USAGE_LIMITS_BY_CLIENT_ID
constant based on the client ID.
Before creating a todo item, the API checks the current API call count for the user. If the count exceeds the maximum limit for the user's client ID, a 429 Too Many Requests
response is returned.
After successfully creating a todo item, the API increments the API call count for the user.
The API includes logging functionality to track API calls. The logApiCalls
function is called after each API request to log the request details, response, and user information.
The API handles errors gracefully and returns appropriate error responses. If there is an error creating a todo item, a 500 Internal Server Error
response is returned with an error message.
The API utilizes Prisma ORM to interact with the database. The prisma
instance is imported from the @/utils/prisma.service
module and is used to create the todo item in the database.
The Todo Demo API endpoint showcases the implementation of authorization and security using the auth middleware in the API. By leveraging the auth middleware, you can ensure that only authenticated and authorized users can access protected resources.
When integrating with ChatGPT, it's important to understand how it handles authorization and sends the necessary headers to your API endpoints.
ChatGPT will include the user's OAuth token in the Authorization
header when making requests to your API. The format of the header will be as follows:
In our API implementation, we have designed the auth middleware to expect and handle this specific format of the Authorization
header. By extracting the token from the header and making a request to the user info endpoint (/api/oauth2/userinfo
), we can retrieve the user's information and perform the necessary authentication and authorization checks.
This approach ensures that only authenticated users with valid tokens can access the protected API resources. It provides a secure and seamless integration between ChatGPT and our API endpoints.