MongoDB Stitch REST API - Payload Signature Verification

Question

I am working on a SANDBOX Cluster & a new app created by me in MongoDB Stitch.

I need to understand "Payload Signature Verification" in MongoDB Stitch App. Lets say, I need to make a REST GET API, which will fetch me a list of products, but this API call must be authenticated ie. only registered/authenticated users will be able to make this call. MongoDB Stitch suggests below to do that:

https://docs.mongodb.com/stitch/services/webhook-requests-and-responses/#webhook-verify-payload-signature

But, i need to understand:

(1) Where to add this BODY & SECRET ? As per my knowledge, it must be kept in the stitch app, as you must not expose any of your secret keys in client side javascript.

(2) { "message":"MESSAGE" } is this configurable? if yes, what value should we add here?

This function must be coded in MongoDB Stitch App. That is clear. This function returns "hash" based on the "body" & "secret" you pass in earlier step.

And now, you must pass this hash in your API Request:

Now, the question is:

You can easily see any request which is being passed to server in developer tools, anybody can easily copy it & pass it same through POSTMAN. So:

-> How do i secure my requests? (FYI: I have also added "RULES", saying this request must execute only if the domain name contains lets say, www.mysite.com. But i am able to execute the request successfully from localhost.)

-> If, anybody can copy & paste my request in POSTMAN & run it. SO, what is the use of generating that HASH ?

-> How do i keep my request(s) tokens alive/valid for limited period of time, lets say request is valid only for next 5 minutes ? (i mean how do i do this in Stitch APP ? Where is that Option ?)

-> How do i get the refresh token ? & even if i get it somehow, how do i re-pass it to the request ?

All such queries are UN_ANSWERED in MongoDB Stich Documentation : https://docs.mongodb.com/stitch/

Basically i want to understand the full life-cycle of any GET/POST/PUT/PATCH/DELETE request of MongoDB Stitch App / Stitch REST APIs.

If anybody have used MongoDB Stich, please explain me.

Answer 1

I don't know your specific use-case, though I also had issues with creating an Authenticated HTTP REST API. My idea was: I already have all security rules and schemas defined in Stitch, now I want to access the data over HTTP still using the logic defined in Stitch and not rewriting everything.

I wasn't able to create such API with Stitch functions and Webhooks, though I created an API server in (literally) 1 hour with NodeJS Koa (express or any other framework would do) and Stitch server SDK:

// app.js
const Koa = require('koa')
const app = module.exports = new Koa()

const auth = require('./auth')
const router = require('./router')

app.use(auth())
app.use(router.routes())
app.use(router.allowedMethods())

// listen
if (!module.parent) {
  app.listen(3000)
}

// auth.js
const { loginWithApiKey } = require('./stitch')

function auth () {
  return async function auth (ctx, next) {
    const apiKey = ctx.query.api_key

    try {
      await loginWithApiKey(apiKey)
    } catch (e) {
      ctx.throw(401, 'Not Authorized')
    }

    await next()
  }
}

module.exports = auth

// router.js
const router = require('koa-router')()
const { BSON } = require('mongodb-stitch-server-sdk')

const { db } = require('./stitch')

router.get('/', async (ctx) => {
  ctx.body = { message: 'Nothing to see, but you\'re good!' }
})

const COLLECTIONS_WHITELIST = [
  'activities',
  'expenses',
  'projects',
  'resources'
]

// List
router.get('/:collection', async (ctx) => {
  const collection = ctx.params.collection

  isValidCollection(ctx, collection)

  ctx.body = await db
    .collection(collection)
    .find()
    .toArray()
})

function isValidCollection (ctx, collection) {
  // check if the collection is allowed in the API
  if (!COLLECTIONS_WHITELIST.includes(collection)) {
    ctx.throw(404, `Unknown API entity ${collection}`)
  }
}

module.exports = router

I hope it helps