Securely integrate Node.js with 3rd-party API

Jenna Vuong

Published Oct 20, 2016

There comes a point as developers we may look back at past projects and feel a stinge of embarrassment from the code we've written. It's a learning process and an iterative one. Each project I finish teaches me new things, and leads me to build better future projects. One thing I noticed that I did wrong in some of my earliest work was not storing environment variables properly in my local environment. Let me expand on this a bit more.

Let's say for example you need to build a client to integrate with a 3rd party API such as Twitter.

To do this, you would need to first go to Twitter Apps to create a new app.

Click 'Create New App':

Once created, click on 'Manage Keys and Access Tokens'.

We will try to integrate to Twitter using user-based authentication, so let's briefly go over what the required keys and tokens mean:

Consumer Key (API Key) - It is ok for this to be public.
Consumer Secret (API Secret) - This must be kept private.
Access Token - This access token is used to make API requests on your own account's behalf. The reason you have a separate access token from the API key is because you might want to access the Twitter API from a number of different places e.g., from another app, your website, etc. You'll want a different access token for each of these setups.
Access Token Secret - This must be kept private.

Notice both 'Consumer Secret' and 'Access Token Secret' must be kept private. These keys should never be human-readable in your application. Anyone who has access to these keys will have access to everything.

The mistake we made was making these keys available and human-readable in a public repository, sometimes in a constants variable or simply in a separate file. This is a violation of the twelve-factor app, a methodology for building web apps.

API access keys are part of an app's config and is everything that is likely to vary between different deploys (staging, production, developer environments, etc). The twelve-factor methodology requires strict separation of config from code. If you get a chance, the twelve-factor app discusses all the best practices for properly scaling a web app and is well worth the read.

So what should you do, you ask?

First, create and store all your access keys in a separate .env file, in your root directory:

Then add .env to your .gitignore file:

This is so your keys won't be checked in and will be kept private in your local environment.

Next, download the 'dotenv' npm package:

npm install dotenv --save

Require and configure 'dotenv' in your server.js:

import DotEnv from 'dotenv'

DotEnv.config()

That's it. process.env now has the keys and values you defined in your .envfile. You may now use those private keys for network requests without sacrificing your private credentials. Keep in mind you'll also have to configure and store the same keys in each environment you deploy to.

client.get(api_twitter_url, params, function(error, tweets, resp) {
    if (error) { console.log('error: ', error) }
    if (!error) {
        res.send(tweets);
    }
});

Securely integrate Node.js with 3rd-party API

Jenna Vuong

More articles by Jenna Vuong

Others also viewed

How to integrate the Mpesa STK push API in Nodejs. Lipa na Mpesa STK push Nodejs (Mpesa Express)

Research on the Effectiveness of DevRel.

All you need to know about NodeJS

React Native 0.83, Prebuilt Artefacts, and a React 19 Security Hole Big Enough to Drive an App Clip Through

How to Create a Twitter Bot with Node.js

Laravel Events and Listeners

Apple’s Swift Will Dominate Cloud Services in 5 Years

Laravel Is Eating the Backend World — And We’re All In

Upload file to Google Drive in Nodejs

Socket IO with NodeJS — with a complete example

Explore content categories