In this part we will explore the Quotes Api code and configuration.
The Quotes API is new, but it is based on the same pattern as the episodes api. The api resides in ex-11/got-quote-api
Only significant changes will be mentioned.
Steps:
- App config (
./lib/app-config.js) - The App
- A new controller for quotes, exposes /api/quote. Will return a random quote if request is validated
- Exposes '/' and '/doc' (Swagger)
auth.jsauthVerifydoes jwt token validation- Validating appid of calling api (new for Quote)
- Note the potential error:
appid claimvs. EPISODES_API_URI (ClientId and Application ID URI defaults to same value, but does not have to be)
- Examine the steps above and identify the changes to config
- Investigate code and follow flow for the quotes route, validator, controller and authorization validation
We need to create a new Microsoft Entra ID App Registration for Quotes Api.
Using the procedure from exercise 10 create a new app registration. The important values will be:
- Name: (initial)-appsec-course-quotes-api
- Expose an api and add scope: Quote.Read
- Give the episodes api permission to use the Quote.Read scope
- Do the steps above and create the new app registration.
- Create a new .env file for the quotes api
code $HOME/envs/appsec-course-api-quotes-eq.env-
Add following config and update values:
code ~/envs/appsec-course-api-quotes-eq.env-
It should contain the following config:
export NODE_ENV=development export TENANT_ID="" export PORT=3200 export QUOTES_API_URI="" export EPISODES_API_URI="" export EPISODES_API_CLIENT_ID=""
-
- Do the steps above and create the new .env file.
Steps:
(Assuming you are in a terminal window at ./ex-11/got-quote-api)
-
cd into
./ex-11/got-quote-apicd ./ex-11/got-quote-api -
Install dependencies and execute tests
-
Source the configuration file
source $HOME/envs/appsec-course-api-quotes-eq.env
-
Run the application
npm start
-
Verify that the Quote Api is running in your browser
- Do the steps above and verify that the API is running