Have create a node JS API application using : https://github.com/spoonx/wetland
to secure that API I have thought I will assign an API key to every user, but a question stuck to my mind that may be sometime a malicious user get API key of other user and he can use that API.
So my question is how I can secure my API for all this hack?
There are multiple ways that you can lock down your API if it is required, bear in mind the more security you add, generally the more difficult it becomes for the end user to use your API.
IP address locking
You can assign an IP address to each one of your users and store it in the database. In your authentication middleware, once the user has succesffuly authenticated with their API key, you will check their requesting ip using request.connection.remoteAddress. If the IPs are matching you allow the connection, otherwise you deny it.
JSON Web Tokens
The second thing you can use is JWT's which are stateless objects that you can use to authenticate your users. It is a more secure way of implementing your API. You can read about it here
Use HTTPS
Using HTTPS will make sure that no one is able to sniff (MiTM) the api keys and any other information sent with the request. Using HTTPS will add an extra layer of security ontop of your app which will make it harder for a malicious actor to gain access to your api keys.
Bear in mind that all these solutions will allow more security for your tokens/api keys, but if one of your users goes and exposes their API key, then you will either need to revoke that API key and generate a new one, or delete that one completely.
So I would recommend storing the API keys alongside the users in the database so that you can easily revoke or regenerate api keys for the specific users. You should also be keeping logs of your api requests so that you can detect abnormal traffic, or traffic originating from an unknown source, if IP address locking is not implemented.
