Skip to Content (Press Enter)
CommunityForgeAssets listLocal REST API
local-rest-api
Service icon

Local REST API

Stable version 1.0.2 (Compatible with OutSystems 11)
Uploaded
 on 24 Nov (17 hours ago)
 by 
0.0
 (0 ratings)
local-rest-api

Local REST API

Details
REST API optimised for use on localhost for high performance. Similar to a Service Action, supporting Tenant and User, but allows dynamic URLs to suit optional plugins.
Asset screenshot_0
Read more

This is intended to allow easier management of plugins within an application, where Service Actions are not possible, because the module may not be present or needs to be switched to another module. It simplifies the process of creating a REST API using a single action in the OnRequest and OnBeforeRequest events that does all of the following:

  1. Allows the module in the API request to be changed dynamically, so http://localhost/MyAPI/rest/Local/Method can be switched to http://localhost/MyOtherAPI/rest/Local/Method
  2. It defaults to overriding the hostname to be http://localhost so the request never leaves the machine, for better performance. This is also validated in the exposed API to reject external requests. If localhost not allowed (for example, in some cloud environments), then you can set the Hostname site property and this will validate the request is from https://<Hostname>
  3. The TenantId is passed via the API to allow use in multi-tenant scenarios.
  4. The UserId is passed via the API token and can optionally be used to Login. Often this is not required as the UserId is only needed for logging and this reduces the overhead of creating a session.
  5. The Token is secured using a key in the secret site property InternalKey. This makes it hard to break as the key is never exposed. In the case of localhost, it never even leaves the machine. If the Hostname is configured, then as it enforces https, it will be secured during network transit. This is only intended for scenarios where the machine(s) can access to the site property. If you are connecting to another server, it is better to use OAuth 2 to allow proper key management.

Security notes:

  1. The module uses GeneratePassword using 16 alphanumeric characters for the InternalKey making it unfeasible to guess, even if the attacker is on the local machine. External attacks are difficult as it would require spoofing of localhost.
  2. You could insert a Sleep action (e.g. 5 seconds) to deter brute force attacks if the key validation fails, but this is probably not necessary.
  3. For an Internet hosted system using deployment zones, you could limit the deployment of modules using LocaRest so they are not accessible externally, or further protect with a firewall appliance.  

Icon: icons8.com

Release notes (1.0.2)

Updated key generation.

License (1.0.2)
BSD-3 license (https://opensource.org/licenses/BSD-3-Clause)
Reviews (0)
Team
Other assets in this category