Creating and providing external API with Wappler

sylvainbaron · September 12, 2023, 1:29pm

Hi everybody,
I need to provide APIs to third part partner from my Wappler WebApp.
I looked after third part software (postmann, xano, swagger, insomnia…) But since Wappler already generate JSON APIs it looks easier to use Wappler.

I’ve read across the differents topics and using Wappler as core looks the easiest, quickest way to deliver
(for example this topic: https://community.wappler.io/t/creating-jsonp-api/12663/10)

I need to provide secured access - I don’t want my APIs to be public and I need to autorise endpoints regarding the partner and the common-customer. ie I need APIs keys / token for each APIs user.

How could I manage with it?
ie. what is the best way to set these access? (Permission? users in DB?) I’m a bit lost.
And how should I do precisely to restrict access to server connect and load or insert needed infos / APIs users?

For the moment I need to provide few endpoints to list / collections and 1 insert.
And I only work with 1 partner to connect our 2 apps. For a demo case.
(This will grew up quickly during the next weeks)

Thanks for your answer.
Sylvain

kfawcett · September 12, 2023, 2:41pm

I'm not sure the best way to generate API keys, but you can use regular credentials and add a Security Restrict option on the APIs to keep them from being available publicly. There's an option to define Permissions if you want to limit it to certain users.

Also, I'm guessing you're going to want to provide standard REST method options, so please vote for this feature request. Right now Wappler only supports GET and POST, so you've got to build workarounds to allow for deletes and updates, which isn't following REST standards.

kfawcett · September 12, 2023, 2:46pm

This might be an approach for building a mechanism for API keys.

kkoker · September 12, 2023, 5:22pm

You should not use the Security Restrict to secure your API. This will require the users to always login to your system before making any API calls. I suggest you create a special table to store users’ identity (ID) and their access tokens, which can be generated by the users using the system.

For each request, a unique access_token has to be provided which you can use check if it exists in the system and who such token belongs to. For a more secured access_token, you would have to use some cryptographic algorithms on the token provided by the user using from the server connect and compare with what you have in the system.

sylvainbaron · September 13, 2023, 5:54am

Thanks everybody for your smart answers!
I’ll gonna try both APIs made with wappler and DreamFactory (hosted on Digital Ocean) and see what happens.

TMR · September 13, 2023, 8:26am

If you don’t mind, please report back with your findings …

tbvgl · September 14, 2023, 2:37pm

I’d highly recommend JWTs for that. You can sign it and store something like the user_id and even permissions in there.

TMR · September 14, 2023, 4:20pm

As far as I can see JWTs require a login, if a login has to be used then why not just use the Wappler security provider? Am I missing something?

tbvgl · September 14, 2023, 6:12pm

You can use the JWT to authenticate the user and then log them in via security provider or just use the JWT itself and generate a cookie but that would require your own session system.

A JWT is just great for API token since you can sign it, store info and set an expiration date.

sylvainbaron · September 17, 2023, 9:37am

I will!

_Pratik · March 5, 2024, 5:17am

Dear @tbvgl,

Is there any refrence for this(JWT) ?

TMR · March 5, 2024, 7:22am

You can get more info here: https://jwt.io/

_Pratik · March 5, 2024, 7:23am

Thanks @TMR.