Securing REST APIs with JWT
In this section, you'll secure the REST endpoints exposed in Chapter 4, Writing Business Logic for APIs. Therefore, we'll use the code from Chapter 4, Writing Business Logic for APIs and enhance it to secure the APIs.
The REST APIs should be protected with the following features:
- No secure API should be accessed without JWT.
- A JWT can be generated using sign-in/sign-up or a refresh token.
- A JWT and a refresh token should only be provided for a valid user's username/password combination or a valid user sign-up.
- The password should be stored in encoded format using a
bcryptstrong hashing function. - The JWT should be signed with RSA (for Rivest, Shamir, Adleman) keys with a strong algorithm.
- Claims in the payload should not store sensitive or secured information. If they do, then these should be encrypted.
- You should be able to authorize API access for certain roles.
We need to include new APIs for the...
