Custom authentication strategy
This guide demonstrates how to protect your Feathers app using a custom authentication strategy built around the Unkey for managing and validating API keys. By leveraging Unkey's API key validation system, we can ensure that requests to your Feathers backend are authenticated using time-sensitive, secure keys.
Within the custom API key auth strategy, we'll check if there is a specific header in the request containing a valid API key. If true, we'll successfully authorize the request.
create_key
, read_key
, encrypt_key
and decrypt_key
.Clone the repository
1git clone git@github.com:unrenamed/unkey-feathers2cd unkey-feathers
Install your dependencies
1pnpm install
Create a.env.local
file and add the following:
1UNKEY_ROOT_KEY=your-root-key2UNKEY_API_ID=your-api-id
Start your app
1pnpm compile # Compile TypeScript source2pnpm migrate # Run migrations to set up the database3pnpm start
The server will start and listen on 3030
port.
Create some users before accesing GET
endpoint
1curl -X POST http://localhost:3030/users \2-H "Content-Type: application/json" \3-d '{4 "email": "alice@unkey.com",5 "password": "supersecret"6}'
Validate if you can access /users
and /users/:id
endpoints
1curl -X GET http://localhost:3030/users2curl -X GET http://localhost:3030/users/1
These two are protected. You should NOT be able to access them before authorization.
Authorize using local
strategy, i.e. email + password
1curl -X POST http://localhost:3030/authentication \2-H "Content-Type: application/json" \3-d '{4 "email": "alice@unkey.com",5 "password": "supersecret",6 "strategy": "local"7}'
Validate if you can access /users
and /users/:id
endpoints
1curl -X GET http://localhost:3030/users \2-H "Authorization: Bearer <your-bearer-token>"
1curl -X GET http://localhost:3030/users/:id \2-H "Authorization: Bearer <your-bearer-token>"
The first one still not accessible, because it requires an API key for access.
Create an API key to access routes protected with API key strategy
1curl -X POST http://localhost:3030/keys \2-H "Content-Type: application/json" \3-d '{}'
You will get key
and keyId
in the response object.
Now you can access /users
route with x-api-key
header and valid key
1curl -X GET http://localhost:3030/users \2-H 'Content-Type: application/json' \3-H 'x-api-key: <your-api-key>'