Security is a big deal today. With new laws kicking in and cases of security breaches popping up, special care needs to be taken in order to secure our applications and platforms. But before we get into that we need to ask one fundamental question.
What do you mean by Security?
Security has the goal of protecting three main aspects of our system:
- Confidentiality: Making sure our resources are accessible only by authorized users.
- Integrity: Making sure our data doesn’t undergo any unauthorized changes.
- Availability: Making sure our authorized users are never denied access to resources.
Those are some fancy terms. Let’s try breaking it down bit.
In a social media app like Instagram, you don’t want random users reading your direct messages right? Neither do you want your posts displayed to everyone (unless your account is public). Things like direct messages and private posts are confidential information which can be viewed only by authorized users (your followers). That’s the principle of confidentiality right there.
Now imagine a situation where you upload a picture of you with your dog. Not fond of dogs? Let’s go with a cat. Now how would your pet feel when it opens up Instagram and sees a picture of you with someone else?
This can happen if some hater of cute animals modifies the image while it’s being delivered to your pet’s phone!
Maybe you don’t have a pet or your pet doesn’t have it’s own phone. Doesn’t matter. The bigger issue here is that the integrity of your photos just got compromised.
Now lets come to the final piece. You absolutely never want to be denied access to your bank account right? This means, your bank account must always be available for you to access.
This is a particularly tricky scenario.
While you must be able to access your account at the click of a button, it must be completely sealed off for anyone else. Easier said than done.
Where does Space Cloud fit?
Space Cloud is a webserver which provides realtime apis for your database and microservices. In an ideal scenario, all database access and microservice calls will happen via a Space Cloud cluster. This allows Space Cloud to slightly influence resource confidentiality.
Space Cloud provides resource confidentiality by means of fine tuned Authentication and Authorization.
Two words particularly stand out: Authentication and Authorization.
Lets dig into each one of them one by one.
Authentication is a process to verify whether a particular user is who he claims to be.
The most common form of authentication is using a username and password. Anybody who gets the password right can be identified by that username.
Another, more secure form is OAuth. Thats the Sign in with Google or Facebook you get to see in most of the apps out there.
We can go on and on about the various authentication techniques.
The output of authentication is usually a session, cookie or a token of some sort. This token is used in all subsequent requests and is a means to identify the user.
To make sure the integrity of the token is not compromised, Space Cloud uses JSON Web Tokens. JSON Web Tokens are digitally signed JSON objects transmitted along with each request.
Since JWT isn’t encrypted, it’s claims can be viewed by everyone. However, the token automatically gets invalidated if anyone tries to modify its content. Hence it can be used as a source of truth when it comes to identifying entities.
Since Space Cloud relies only on JWT, you can plug in any form of authentication as long as it creates a JSON Web Token.
So what after an user is authenticated? How do we know if a user is allowed to make a request?
This is where the authorization piece kicks in.
Authorization is the act of validating whether a user has the permissions to perform a particular operation.
We can use the tokens obtained earlier as a basis to validate a particular operation.
Pretty straight forward right?
How does it all work?
Space Cloud helps you decide which user is authorized to consume a particular resource by defining a set of security rules in YAML or JSON.
These rules are applied to a request as soon as it hits a Space Cloud instance. The request is executed only if the rules pass.
You authorize a query by:
- Matching the request payload with the claims of the token.
- Querying the database to validate certain conditions.
- Trigger functions in your microservices to implement custom authorization logic.
This mechanism helps us achieve something remarkable.
Space Cloud decouples your business logic from the security layer.
Read it again. Let it settle in.
No more do you need to be careful about security as long as all resources are being access via Space Cloud. The security rules completely takes care of that.
This in turn makes us think about security in a slightly different way.
Business logic can be now modelled as a Access Control problem.
Let’s take an example to see this in action.
Going back to Instagram. A user can view a profile only if its a public one or she is accepted as a follower. This is what we generally view as business logic.
Now to map it as an access control problem, we need to slightly rephrase the sentence.
The profile read operation is authorized if the profile is marked as public, or the caller userId is present in the followers list of the profile.
Let’s see how the security rule for something like this look like:
rule: or clauses: - rule: query db: mongo col: profiles find: userId: args.find.userId # Assuming profiles has field `userId` isPublic: true - rule: query db: mongo col: followers find: userId: args.find.userId followers: args.auth.id
Give it some time and the syntax will grow on you. The docs will help make your life a whole lot easier.
One thing to particularly note is that we have been talking about authentication of users.
What about authentication of my Services?
In distributed systems, we often have microservices which are constantly talking with each other. How do we secure that? We can’t expect each microservice to have a gmail account right?
In this case, a pre generated token is supplied to your services directly effectively skipping the need to authenticate.
The rest of the steps will remain pretty much the same.
So here we just saw how Space Cloud is bringing a shift in the way we secure our apps.
Disagree? That’s completely alright!
You can always write custom code to implement your authorization layer. As I mentioned earlier, Space Cloud lets you write custom code in the form of functions which can perform validation.
Do try Space Cloud out. I would love to know how you are using the security module.
If you like what we are doing, do star us on GitHub. We would love to get you onboard as well! You can start by posting about a bug or suggest improvements. Also, you can join our discord server to get in touch with us directly. Welcome to the new way of writing microservices!