Simple NestJS RESTful API CRUD fullstack application using Pokemon Gen 1 dataset and utilizing Kong API Gateway and Keycloak with OpenID Connect/OAuth 2.0 demonstrating:
- Application, MongoDB containerization in Docker and database seeding.
- Volume mapping and persisting database data in db container.
- Environment variable configuration and validation.
- URI versioning, Swagger configuration and documentation.
- REST API calls invoking CRUD operations.
- Validating API request BODY and PARAMS based on DTO's using pipes.
- Annotating schemas, dto's and controllers.
- Creation and usage of Data Transfer Objects and Mongoose Schemas.
- Mitigating common attack vectors by setting HTTP response headers using Helmet.
- Rate limiting to prevent-brute force attacks, by limiting application to 10 requests within 60 second time period as an example.
- Implementation and usage of open source API gateway proxying traffic to services within Docker network. Kong API Gateway
- Secure the client (Swagger UI), preventing unauthenticated requests to backend API's using Kong, Keycloak and OpenID Connect (OIDC).
NOTE: This personal project was rushed as a learning/upskilling exercise and is not production quality.
- Authorization/Role-based access control to determine what users can do.
- Microservices Architecture
- Docker
- Node v18+ (if running pokemon service locally)
Use docker compose to setup the docker environment for the application and other services. The docker compose file contains all the configurations and commands required to build the application, database and seed the dataset into the db.
# Builds, (re)creates, starts, and attaches to containers for a service in detached mode. Ommit -d if you don't want to run in detached mode.
$ docker compose up -dIf you want to run the application locally in development/watch mode, follow these steps:
# If the containers are already running use this command to stop and remove containers, networks.
$ docker compose down
# Start the mongo database container, it is a prerequisites as the application connects to the database on start up.
$ docker compose up mongo mongo-seed -d
# Start application
# development
$ npm run start
or
# watch mode
$ npm run start:dev
or
# production mode
$ npm run start:prodAfter the docker environment has successfully spun up, configure Keycloak to setup a client.
Configure a client with the appropriate details:
- Access keycloak administration console via
http://localhost:9080/adminand login using usernameadminand passwordadmin. - Create a new realm, by default you are logged into the
masterrealm. From the side menu clickmasterin the dropdown menu and clickCreate Realm. Name itpokemon(lowercase) and setEnabletoOnand clickCreate. - After creating the new realm, Keycloak should switch you into that realm, if not navigate to it from the dropdown menu.
- From the side menu click
Clients-->Create client. Usepokemon-serviceas theClient ID,Pokemon Serviceas theNameand clickNext. - For the Capability config make sure
Client authenticationis OFF so the OIDC client is set to public access type. For theAuthentication Flowwe will enableAuthorization Code FlowandResource Owner Password Credentials Grantto generate tokens for this client. Once done clickNext. - Under
Login settingsuse the configuration below and clickSave.
- Root URL:
http://localhost:8000 - Home URL:
http://localhost:8000/swagger - Valid redirect URIs:
* - Web origins:
*
- After clicking
SaveKeycloak navigates you to theClient detailspage forpokemon-service. - Create a new User inside of the
pokemonrealm. Click onUsersin the side menu and clickAdd user. - Use this configuration (ignore the other fields) and click
Create:
- Username: pokemonuser
- Email verified: Yes
- Keycloak will navigate you to the
User detailspage forpokemonuserafter clickingCreate. Now click onCredentialsandSet password. - Use the password
pokemonuserand set Temporary toOff, clickSaveandSave passwordto confirm.
After these steps are completed proceed to Kong.
Due to using the free version of Kong, we are unable to use their supported OpenID Connect plugin. As an alternative we are using an open source OpenID Connect plugin, which unfortunately is no longer maintained but still usable using a forked project and image.
NOTE: If you choose to use confidential access type instead of public access type for Client Authentication use the Client Secret from Credentials in pokemon-service Client Details for client_secret in config/kong/kong.yaml.
- In the
kong.yamlfile inside of./config/kong, replace<CHANGE_ME>with the IP Address assigned to your network interface.
plugins:
- name: oidc
config:
client_id: 'pokemon-service'
client_secret: '<update if using client authentication confidential access type for OIDC>'
realm: pokemon
introspection_endpoint: 'http://<CHANGE_ME>/realms/pokemon/protocol/openid-connect/token/introspect'
discovery: 'http://<CHANGE_ME>/realms/pokemon/.well-known/openid-configuration'
- Restart the kong api gateway using
docker compose up -d kong-api-gateway. - Proceed to Usage,
After completing the configurations in Keycloak and Kong from the steps above, you can access the exposed Swagger UI from the pokemon-service sitting behind the Kong API Gateway after successful authentication.
Access the Swagger UI via http://localhost:8000/api.