I am building a web in Node that uses data stored in iCloud using CloudKit on a Public Database. To query the data I have created an apiToken and a serverToServerKey. For the first one I have a string but for the server to server authentication I've got a pem file which contains a private key. To configure CloudKit I am doing the following:
CloudKit.configure({
services: {
fetch: fetch
},
containers: [{
containerIdentifier: 'iCloud.com.myName.Container',
environment: "production",
apiTokenAuth: {
apiToken: "XXXXXXXXXXXXXXXXXX",
persist: true
},
serverToServerKeyAuth: {
keyID: serverKey,
privateKeyFile: "./private_key.pem"
}
}]
});
var container = CloudKit.getDefaultContainer();
container.setUpAuth().then(function(userIdentity) {
if(userIdentity) {
publicDB = container.publicCloudDatabase;
console.log("[OK] Logged in...");
resolve(userIdentity)
}
});
This obviously doesn't generate any problems and I can query the container for the data and my web app works without a problem locally.
The previous snippet is located in my index.js file and when I get the data from iCloud y pass it to my HTML file and I render it using EJS.
Now I am moving this to production and I have some questions and problems. As far as I know I cannot move the .pem file to the server because it contains a private key but now it's in the backend so I don't know if it's going to be publicly available.
Is there a possibility of authenticate the users that use my web app with only the apiToken. The users will only have to read data not modify or create so I won't need to identify them.
Am I asking something impossible or anyone has done it? I haven't found any information regarding this. When I try to authenticate the users using the previous code snippet using only the apiTokenAuth and deleting the serverToServerKeyAuth I get an AUTHENTICATION_ERROR.