Secure your middleware with JWT
Building secure and reliable apps
Although the Freshworks developer platform is packed with features that make middleware unnecessary, there are certain situations in which a middleware cannot be avoided. For example, you may be building an app that integrates with a product that only supports OAuth 1.0. In this scenario, a middleware is required to act as a mediator between our platform and the third party product, to enable authentication and to store the access tokens.
When using a middleware, due care must be taken to ensure that it is built to be secure and scalable. During app reviews, we come across many apps using unsecured middleware that accept requests without any form of authentication. The middleware is thereby exposed and vulnerable. It is possible for a malicious third party to interact with the middleware and flood it with requests (eg: Denial-of-Service). The app then becomes unreliable and this risks spoiling the user experience of the app. It is also possible for someone to impersonate an authentic user, compromising data privacy and security.
One of the easiest ways to secure your middleware is to use JWT. In this post, we will understand how JWT works and go over how to use it.
What is JWT?
JSON Web Token (JWT) is a JSON-based industry standard (RFC 7519) method for representing claims securely between two parties.
JWT is used as a means of authentication between systems. JWT is a text string that contains three parts — header, payload, and signature where the signature is a hash based on a secret.
header.payload.<HASH>(header.payload, secret)Tokens are typically short-lived for added security and must be refreshed on expiry.
Using JWT
There are two ways you can use JWT in an app:
- The app sends identifying credentials to the middleware and gets back a JWT with appropriate permissions. The app then uses the JWT in every request to the middleware that verifies the token and passes the request.
- The app and the middleware have a common secret for generating and verifying the JWT. The app generates a token and sends it in every request to the middleware. The middleware verifies the token and responds to the request.
The first approach gives the middleware complete control over what resources the token can access, while the second approach uses a single token for accessing all resources. For a middleware that doesn’t need to enforce specific permission levels over resources, the second approach is recommended since it is simpler to implement. We will cover the first approach in a later post. This post will explore the second approach in detail.
Note: We will use the NPM jsonwebtoken library to generate and verify tokens.
App — Generating the token
The following is a simple function that generates a JWT using a secret key. The token is then used in the authentication headers to make valid requests to the middleware.
In a Freshworks app, you would include the JWT generation in server.js and this serverless function could be called during any event (app setup, product, external) or from the front-end using Server Method Invocation. Ensure that the jsonwebtoken package is included in the dependencies section of the manifest.json file. It is recommended that the token is not generated in the front-end as that would expose the secret to end-users.
Middleware — Verifying the token
The following is a simple authentication function in nodeJS to verify JWT using the same secret key as the app.
If the JWT verification doesn’t pass, the middleware rejects the request. Therefore, the requests that hit the middleware are authenticated to avoid security breaches, even possibly a DDoS attack.
Check out our Sample JWT app that implements this technique.
At Freshworks, we invest a lot of time and energy to keep the developer platform and apps as secure as possible. When you use a middleware, we encourage you to ensure there is proper authentication to secure the middleware and the experience of the user is seamless and safe.
Please reach out to us at marketplace@freshworks.com if you have any questions or suggestions.
