node.js - 节点JS | Heroku | MongoDB地图集| 如何确保只有我的应用可以访问我的后端？(Node JS | Heroku | MongoDB Atlas | How do I make sure only my app can access my backend?)

Question

I've built my backend using MongoDB Atlas, Express, and Node JS and deployed it to Heroku.

(我已经使用MongoDB Atlas，Express和Node JS构建了后端，并将其部署到Heroku。)

Using Postman, the app is operating properly so far (users are getting added and I'm receiving the json web token correctly).

(到目前为止，使用Postman，该应用程序运行正常（正在添加用户，并且我正确接收了json网络令牌）。)

But I'm thinking that this might not be correct because it seems like anyone with access to my Heroku URL and routes can easily create a new user, receive the json web token, and basically operate their entire app using my backend.

(但是我认为这可能是不正确的，因为似乎任何有权访问我的Heroku URL和路由的人都可以轻松创建新用户，接收json网络令牌并基本上使用我的后端来操作他们的整个应用程序。)

My questions are:

(我的问题是：)

1. Am I missing something huge about how I've built my backend?

   (我是否在构建后端方面遗漏了很多东西？)

2. How do I go about securing my backend so that only my apps can access the backend?

   (我该如何保护后端，以便只有我的应用程序才能访问后端？)

  ask by mpc75 translate from so

Answer 1

You can use Passportjs to protect your routes, passport will be your middleman between person accessing the back-end and your actual back-end.

(您可以使用Passportjs保护您的路线，护照是访问后端人员和实际后端之间的中间人。)

You can give access to the routes if a valid JWT is passed ( JWT strategy ) otherwise it will throw 401 (Unauthorized).

(如果传递了有效的JWT（ JWT策略 ），则可以授予对路由的访问权限，否则它将抛出401（未经授权）。)

There are 400+ strategies available, I will recommend JWT one because you are already generating JWT.

(有400多种策略可用，我将推荐一种JWT，因为您已经在生成JWT。)

Protecting backed is integral part because most of scripts can disable security on front-end leaving apps vulnerable to attacks.

(保护受支持是不可或缺的一部分，因为大多数脚本可能会禁用前端的安全性，从而使应用程序容易受到攻击。)