I have an architectural question.
Lets say I have a route '/tickets'. I can easily authenticate users that are accessing this route using passport. I can further protect this route via acl.
Now let's say my internal app or a process want to access this same route. I'm thinking I might only have one option. I have to create a separate user/password with right role and have my internal app or process make an HTTP call to this route using this separate credentials.
So, is this a right way to access internal APIs ?
any other suggestions that might be useful ?
There are lots of different options for routes that are only accessible internally:
For additional security, you can also combine various options which is sometimes useful for preventing internal attacks on your own infrastructure either from a mal-employee or from some other piece of compromised infrastructure on your own private network.
For example, you could combine options 1, 2 and 5. You'd create a separate server port that was not accessible from the public internet and you'd authenticate every request to it with internal-only credentials and you'd only allow access to it from specific internal IP addresses. I'm not saying you have to combine all those, but I'm giving you the idea that these are not all mutually exclusive. My favorite would be to combine 1 and 2.
FYI, if you want to have private access to the same functionality such as
/tickets, but with different access, you can use the 2nd server that is only accessible internally (as described in option 1 above) and just have a
/tickets route on it that has different access control. The two separate servers can share all the same
/tickets implementation (just put the implementation in a function that the two can share) except they would have different route definitions on the two servers that define the authentication required. You could even have the private server set a flag on the
request object that indicates to the rest of your code which entry point the route was called from (public or private) so it could branch based on that information.