Friday, May 4, 2018

Security Mechanisms in the API

Hello Everyone,

From this post I will talk about the security mechanisms that followed during the API production.

Advanced Encryption Standard (AES) is used in this API to protect the sensitive data of the customer. In here, I have used AES Mechanism to encrypt the user login details where no third party intruder can access to that information. For that purpose, I have created a separate file, which could be used as the helper in encrypting data.

   public static String encrypt(String data) throws Exception{
        Key key = generateKey();
        Cipher cipher = Cipher.getInstance(ALG);
        cipher.init(Cipher.ENCRYPT_MODE, key);
        byte[] encryptValue = cipher.doFinal(data.getBytes());
        return new BASE64Encoder().encode(encryptValue);
    }

As this is an online-based system, it should have proper mechanism to protect credit card details of the customers, as that information is the most important out of all. For that purpose, I have used the same AESEncryption.java class with encryption and decryption facilities applying service reusability.

    public static String decrypt(String data) throws Exception{
        Key key = generateKey();
        Cipher cipher = Cipher.getInstance(ALG);
        cipher.init(Cipher.DECRYPT_MODE, key);
        byte[] decodedValue = new BASE64Decoder().decodeBuffer(data);
        byte[] value = cipher.doFinal(decodedValue);
        return new String(value);
    }
At the end of the, both the encrypted credit card details are validated against the decrypted credit card details to ensure that no any intruder had changed the information providing secure transactions.

String cardNumber = aesEncryption.encrypt(creditCardNumber);
String cvc = aesEncryption.encrypt(String.valueOf(cvcNumber));
String name = aesEncryption.encrypt(holderName);
getcreditCardDetails = bankService.decryptData(creditCardNumber,cvcNumber,holderName);
if(getcreditCardDetails.get(0) == creditCardNumber && getcreditCardDetails.get(1) ==
              String.valueOf(cvcNumber) && getcreditCardDetails.get(2) == holderName)
     {
      return true;
     }

At the frontend both the username and password are validated using authguard.service.ts class.

canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
    if (localStorage.getItem('currentUser')) {
        return true;
    }
    // not logged in so redirect to login page with the return url
    this.router.navigate(['/login'], { queryParams: { returnUrl: state.url }});
    return false;
  }
  logout() {
    localStorage.removeItem('currentUser');
  }

In here angular defined canActivate interface is used to guard to decide the path or the route to be activated based the validity of the user. 

Let's meet again with drug management coding part.Happy coding :)




©Copyright Viraj Wickramasinghe.