Skip to content

unrenamed/unkey-feathers

BranchesTags

Repository files navigation

Protect your Feathers API with Custom Key Auth Strategy

Overview

This guide demonstrates how to protect your Feathers app using a custom authentication strategy built around the Unkey for managing and validating API keys. By leveraging Unkey's API key validation system, we can ensure that requests to your Feathers backend are authenticated using time-sensitive, secure keys.

Tech Stack

  • Feathers JS: An open source framework for building APIs and real-time applications.
  • Unkey: A service to manage API keys with advanced features like time-bound access, rate limiting, and access control.

Features

  • Secure endpoints with both Local Auth and API Key-based strategies.
  • Integration with Unkey API to validate keys for time-sensitive access.

How it works

Within the custom API key auth strategy, we'll check if there is a specific header in the request containing a valid API key. If true, we'll successfully authorize the request.

Quickstart

Create your first root key

  1. Go to settings.root-keys and click on the "Create New Root Key" button.
  2. Enter a name for the key.
  3. Select the following workspace permissions: create_key, read_key, encrypt_key and decrypt_key.
  4. Click "Create".

Create your first API

  1. Go to apis and click on the "Create New API" button.
  2. Give it a name.
  3. Click "Create".

Set up the example

  1. Clone the repository

    git clone [email protected]:unrenamed/unkey-feathers
cd unkey-feathers

  2. Install your dependencies

    pnpm install

  3. Create a.env.local file and add the following:

    UNKEY_ROOT_KEY=your-root-key
UNKEY_API_ID=your-api-id

  4. Start your app

    pnpm compile # Compile TypeScript source
pnpm migrate # Run migrations to set up the database
pnpm start

    The server will start and listen on 3030 port.

Test the API routes

  1. Create some users before accesing GET endpoint

    curl -X POST http://localhost:3030/users \
-H "Content-Type: application/json" \
-d '{
    "email": "[email protected]",
    "password": "supersecret"
}'

  2. Validate if you can access /users and /users/:id endpoints

    curl -X GET http://localhost:3030/users
curl -X GET http://localhost:3030/users/1

    These two are protected. You should NOT be able to access them before authorization.

  3. Authorize using local strategy, i.e. email + password

    curl -X POST http://localhost:3030/authentication \
-H "Content-Type: application/json" \
-d '{
    "email": "[email protected]",
    "password": "supersecret",
    "strategy": "local"
}'

  4. Validate if you can access /users and /users/:id endpoints

    curl -X GET http://localhost:3030/users \
-H "Authorization: Bearer <your-bearer-token>"
    curl -X GET http://localhost:3030/users/:id \
-H "Authorization: Bearer <your-bearer-token>"

    The first one still not accessible, because it requires an API key for access.

  5. Create an API key to access routes protected with API key strategy

    curl -X POST http://localhost:3030/keys \
-H "Content-Type: application/json" \
-d '{}'

    You will get key and keyId in the response object.

  6. Now you can access /users route with x-api-key header and valid key

    curl -X GET http://localhost:3030/users \
-H 'Content-Type: application/json' \
-H 'x-api-key: <your-api-key>'

About

Unkey template showcasing how to protect your Feathers backend with Unkey API key auth strategy

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages