Building a complex app for Contentful using the App Framework doesn’t have to be complicated. Request Verification provides powerful functionality out of the box to further ensure the integrity of your data and app communications.
When you develop an app for Contentful using the App Framework, you are creating a single page application that runs inside an iframe in the Contentful web app. Apps are highly useful for extending the default Contentful experience and implementing your own business solutions. While many apps can be as simple as a button, some apps do more advanced things like modify user input or make network calls to backends which implement custom business logic.
Frontend apps that make network calls sometimes need a way to authenticate themselves with a backend. Authentication can be necessary for securing communication; however, it is hard to implement from scratch. To solve this problem, we’ve created an easy way for developers like you to make secure communication between your frontend and backend possible when working with apps. We call this “Request Verification.”
When a request is verified, the original message’s integrity is secured using a secret you provide. You may have heard of this practice before as “signing a request.” Signed requests are a security mechanism used throughout many software applications. When a request is signed, any backend that knows the signing secret can use it to verify that an incoming request came from your app while being displayed in the Contentful web app. This also means that your backend can reject any request made to it that isn’t verified, or whose signature is invalid.
Request verification has many immediate use cases. For example, backends can allow users to access private information in a secure fashion, restrict who is able to perform certain actions and ensure that only apps you’ve allowed are communicating with your backend.
Looking at an Example
In the code, we see that as we formulate our network request, we can use the SDK method called
signRequest to create an object which contains all our data and will include additional headers which contain the signature and other useful security data. It is then up to you to ensure your backend properly reads the incoming request and either allows or denies it based on the authenticity of the signature. Let’s take a look at the following example:
Here we are using the popular Node.js framework Express to run a server and listen for data on an endpoint. When we receive an event, we use the node-apps-toolkit function
verifyRequest to verify the incoming message. Keep in mind, you can accomplish request verification using any backend language that can receive HTTP requests. We have further technical documentation on how a backend app can verify that a request is authentic in any programming language.
Since request verification is usually used in more advanced cases, I am always open to answering questions or hearing about your specific situation. If you want to chat about what you're working on, feel free to ping me on our community Slack where I work with fellow developers as we take steps to make our App Framework more durable for everyone.