A super lightweight API gateway (825 lines of code) with an inbuilt OAuth2 server that will run in a docker container, authenticate against an LDAP server returning JWT and refresh tokens, then generates routes to proxy from src/config.js to the target URL.
You'll need docker if you don't already have it installed.
Copy .example.env to .env.development and update the passwords for access. Adjust src/config.js to include setting your proxy urls:
# Build and start your server
docker-compose up --buildAPI will be available at localhost:<PORT> for http requests.
Specify your endpoints in src/config.js under the routes object using the correct request method object (get,post,put,delete). Routes will be generated at runtime from this list using the following configuration:
- host: { string } over-rides
hostUrlto specify proxy target host, - path: { string } the target path for the req and res,
- auth: { boolean } set to true to require JWT authentication for the endpoint
The gateway acts as it's own Oauth2 server using a JWT and refresh token for authentication. All auth grant types reside at the /oauth/token endpoint.
Initial authentication should be with the following REST structure
- POST
- Uses req.body:
{ "grant_type": "password", "username": "zz001", "password": "S3cur3", "scope": "openid profile", "client_id": "xxx" } - Headers:
{ "Content-Type": "application/json" }
To return:
{
"access_token": "{{access_token}}",
"token_type": "Bearer",
"expires_in": 31557600,
"refresh_token": "{{refresh_token}}",
"uid": "ZZ001C"
}If the JWT token has expired a refresh grant should be made to the /oauth/token endpoint with a valid refresh_token.
- POST
- Uses req.body:
{ "grant_type": "refresh_token", "refresh_token": "{{refresh_token}}", "client_id": "xxx" } - Headers:
{ "Content-Type": "application/json" }
To return:
{
"access_token": "{{access_token}}",
"token_type": "Bearer",
"expires_in": 31557600,
"refresh_token": "{{refresh_token}}",
"uid": "ZZ001C"
}{
"iss": "http://localhost",
"aud": "https://localhost:5000/v1",
"sub": "ZZ001",
"email": "[email protected]",
"identityContext": "0",
"scopes": "read,write",
"iat": 1557807257,
"exp": 1589364857
}The refresh token isn't dependant on the decoded JWT data, but the Oauth server does validate the token for expiry and authenticity using the secret as an extra layer of security.
{
"sub": "ZZ001",
"iat": 1557807430,
"exp": 1589365030
}App is configured for both http and https and runs http out of the box. To enable https generate (or provide) your https certs - privateKey.pem, certificate.pem, authority.pem (optional) - in the root directory, and set config.protocol: 'https'.
Import the postman file located at ./node_api.postman_collection.json to test the endpoints.