I want to know how to make an API that returns an array of objects and each object contains a text and an image.
And I want to know that I have to add all the text and images manually to the API?
And no one can add the data to the api except me.
Anyone please tell me How to approach this?
I want to use nodejs, express, mongodb to build this api.
Hi @rishipurwar007. Have you taken the âAPIs and microservicesâ certification yet? It will give you a good introduction to the challenge you are facing.
1 Like
No, I didnât take a APIs and microservices certification.
But I created a basic API where I see a data and post a data.
Now, I want to know that how to secure the api so that only i can post the data but all the user can only see the data.
Please suggest me some resource related to this.
All you need is to protect the route so only you can add the data to it. Now you can just add static array of objects and users can call the api to get the array of text and image.
@IAmRC1 Thanks for your reply.
But I want to know How I protect that post route?
I am not using authentication in my api.
Please give me some idea How I protect that route?
Or suggest me some resources related to do this.
Sure, happy to help. You will have to use auth to protect the api. Need to use jwt for that, so based on token only can modify the data.
To generate an jwt token, I need to implement signup and signin route.
I donât get your point.
How should I generate the token for me only?
Please give me some more detail if you can.
Do you know any resources related to this.
âŚI want to know that I have to add all the text and images manually to the API?
They either need to be there or located somewhere else on the web. I also prefer to host my images somewhere (like an AWS bucket or whatever) and then just serve back the URL.
âŚAnd no one can add the data to the api except me.
Is that a question or a statement? If youâre the only one with access to the account then youâre the only on that can change it. If you want other people to access it, then you need to give them and account or create some kind of CRM or build it into the API.
Anyone please tell me How to approach this?
As pointed out, the FCC section on this will explain this.
I want to use nodejs, express, mongodb to build this api.
Yup, thatâs what FCC teaches. Itâs also what I used here for a simple server for my wifeâs web site that just serves back data and urls for images (stored on AWS). I didnât bother with mongo, instead just storing the data in JSON files - it almost never changes and I didnât need it to change dynamically so I saw no need for a DB - but the principle is the same.
Hello Kevin,
Thanks for your reply.
You cleared most of the points but I have few more doubts.
I already created an API using nodejs, express and mongodb, only doubt I have is about âno one can add data to itâ
- letâs say I host my api on heroku and then someone open postman and add data to it. Is this possible?
- How much aws cost for hosting images?
-
Unless they have the password to your account, they canât really add data unless you create endpoints to that API that allow them to do it. You could create a post endpoint that would allow them to add them, but with out that, without some major hacking skills, I donât see how they could.
-
A few bucks here and there - Iâve never even really noticed - I think Iâm still in their trial. You can also look up free image hosting or just keep them on your web host. There are different approaches. A lot of your decisions are going to come down to speed, size, traffic, and security.
I have an endpoint to post the data to the mongodb .
How should I secure that endpoint?
A very simple way to secure the API without adding auth or dealing with sessions is to create your own âsecretâ.
You can add it to your .env as something like API_TOKEN=super_secret_string
Just pass the secret manually using something like Postman when youâre adding images through your API and make sure your POST endpoint returns a 403 if the secret doesnât match whatâs in your .env. You can guard this with a simple if statement.
This will only work if you expect to create the data through an app like Postman or another client that can make HTTP requests to your API.
Otherwise youâre going to have to learn how to setup auth.
1 Like
You could alternatively have a separate, private app for doing the POSTing or you could just have a prompt the user for a password/key that gets sent in with the POST. But your ideas are better, I think.
1 Like
Hello there,
This is my post route.
router.post('/items', async (req, res) => {
const {name, image} = req.body;
if(!name || !image) {
return res
.status(422)
.send({error: 'There is no name and image'});
}
try {
const item = new Item({name, image});
await item.save();
res.send(item);
} catch (error) {
res.status(422).send({error: error.message});
}
})
I understand what you have explained but I donât understand How to send that API_TOKEN from postman.
I have to send that token like this
If I send data like this, token will get save to db that I donât want to.
Is their any other way to do this?
Code after adding if statement
router.post('/items', async (req, res) => {
const {name, image, token} = req.body;
if(token !== process.env.API_TOKEN){
return res
.status(403)
.send({error: 'You are not allowed to add data});
}
if(!name || !image ) {
return res
.status(422)
.send({error: 'There is no name and image'});
}
try {
const item = new Item({name, image});
await item.save();
res.send(item);
} catch (error) {
res.status(422).send({error: error.message});
}
})
Am I doing right or not?
This is a little outside my expertise, but that looks like a solution. Youâve passed the key in the body. You could also handle it with something in your headers our authorization. But this will work. Now only POSTs that have that key will succeed. As long as your client facing app doesnât have that key in it, and youâre the only one that has it, no on can post but you.
1 Like
I donât see how the key would be saved to the DB - it looks to me like you are explicitly telling it to save only the name and image.
1 Like
Youâre right.
I am just saving the image and text to the db not the key.
If I set my api key under Api key(see the above image), Is it visible on the frontend?
I am doing like this now.
router.post('/items', async (req, res) => {
const {name, image} = req.body;
const {secret_key} = req.headers;
// Authanticating the user
if(secret_key !== process.env.MY_SECRET_KEY) {
return res
.status(403)
.send({error: 'You are not allowed to add data!đ '});
}
// Checking data values
if(!name || !image) {
return res
.status(422)
.send({error: 'There is no name and image'});
}
try {
const item = new Item({name, image});
await item.save();
res.send(item);
} catch (error) {
res.status(422).send({error: error.message});
}
})
Is above code is correct?
Thanks for your help
Yep thatâs exactly right!
The token wonât get saved to the DB in this case unless you wrote code to so that.
For what you need this solution is fine.
Normally tokens are passed with an âAuthorizationâ header with a value of Bearer yourtoken. This is whatâs called a âBearer tokenâ which is just terminology from a specification called OAuth2.
You really donât need to worry about being OAuth2 compliant in your situation so passing it in the body is totally fine.
Another common thing to do is pass tokens as a query parameter. Usually when the request is a GET. For example localhost:8080/items?access_token=yourtoken
Last thing. For testing, obviously the token doesnât matter. But when you go live it should be a a SHA256 hash or better.
Thanks for your help
I am building an andriod app in react native which requires an api that contains image and text.
So, I already secure the post route but I have a confusion do I need to secure get route?
If yes then how?
because I didnât understand this part
Another common thing to do is pass tokens as a query parameter. Usually when the request is a GET. For example localhost:8080/items?access_token=yourtoken
This api is only used by my app.
And second thing How to upload image from my laptop alongwith data through postman.
Oh I didnât mean that you should secure your GET route. Was only including that as an example of what could be done.
As for how to upload the image itâs done by a special type of request. In Postman you can set the body to be a âform-dataâ. And then youâll want to add an âimageâ field.
On the far left of the field youâll see a drop down labeled âtextâ. Youâll want to change that to âfileâ.
In your backend you need to store that file somewhere on your server in a directory thatâs not accessible to the public web. Usually your database just stores the path to where that file lives.