Securing REST APIs with JWT
In this section, you’ll secure the REST endpoints exposed in Chapter 4, Writing Business Logic for APIs. Therefore, we’ll use the code from Chapter 4 and enhance it to secure the APIs.
The REST APIs should be protected using the following techniques:
- No secure API should be accessed without a JWT.
- A JWT can be generated using sign-in/sign-up or a refresh token.
- A JWT and a refresh token should only be provided for a valid user’s username/password combination or a valid user sign-up.
- The password should be stored in an encoded format using a
bcryptstrong hashing function. - The JWT should be signed with Rivest-Shamir-Adleman (RSA) keys with a strong algorithm.
RSA
RSA is an algorithm approved by the Federal Information Processing Standards (FIPS) (FIPS 186) for digital signatures and in Special Publication (SP) (SP800-56B) for key establishment.
- Claims in the payload should not store sensitive...
