Hands-On Docker for Microservices with Python

上QQ阅读APP看书，第一时间看更新

Understanding the security layer

As the Thoughts Backend is going to be available externally, we need to implement a security layer. That means we need to identify the user producing the actions and verify their validity. For this service example, we will create a new thought from the logged in user, and we will retrieve my thoughts, thoughts created by the currently logged user.

Note the fact that the user is logged also validates the fact that the user exists.

This security layer will come in the shape of a header. This header will contain information that is signed by the user backend, verifying its origin. It will take the form of a JSON Web Token (JWT), https://jwt.io/introduction/, which is a standard for this purpose.

The JWT itself is encrypted, but the information contained here is mostly only relevant for checking the user that was logged.

A JWT is not the only possibility for the token, and there are other alternatives such as storing the equivalent data in a session cookie or in more secure environments using similar modules such as PASETO ( https://github.com/paragonie/paseto). Be sure that you review the security implications of your system, which are beyond the scope of this book.

This method should be handled by the Users Backend team, and get packaged so that the other microservices can use it. For this chapter, we will include the code in this microservice, but we'll see later how to create it so it's related to the Users Backend.

If the requests don't have a valid header, the API will return a 401 Unauthorized status code.

Note that not all API endpoints require authentication. In particular, search does not need to be logged.

With an understanding of how the authentication system is going to work, we can start designing the API interface.