If you’re involved in creating software APIs, you’ll doubtless find yourself spending a lot of time thinking about security. It seems like every few days another large company is reporting a DoS or DDoS attack against their internet-facing programs; lots more attacks are likely suffered without fanfare. The fact is these attacks can be very hard to protect against, especially DDoS, where simply blocking an IP range isn’t practical. Often, the survival of your service simply comes down to being able to handle more traffic than the attackers can send. These days, there are a number of companies offering high-quality protection for the largest or most mission-critical programs. But beyond that layer of protection, your API must be able to scale to rejecting large rates of invalid authentication requests, whilst still allowing your customers a way through.
This is especially problematic for interpreted languages such as PHP, Ruby, and Python. What such languages give in flexibility and ease of coding, they lose in pure speed, sometimes by an order or two of magnitude. So, if your customers access your service over a JSON REST API written in PHP, say, that round-trip to parse an authentication request, check the database, and block access can easily consume so many resources that your customers suffer slower response times—or even an outage. Of all the API stack, the security components are the most important, and if you lose that battle, you might well lose the war, too.
But there’s another consideration of critical importance, too: the API must be able to validate authentication requests correctly—and not mistakenly grant a hacker access. Writing such code can be repetitive and error-prone, which is why many third-party libraries exist to extract such functionality. That way, you can build your API on code designed specifically for this purpose and used elsewhere, vastly reducing the lines of code necessary. However, in this choice, you are very restricted: if your API is written in PHP, you’ll usually only have PHP libraries available to you, and this frequently must also be compatible with the other libraries your API uses, accounting also for dependencies installed on the server or in the container. Dependency hell can be just around the corner.
Tigrosa helps with these issues by offloading such processes to a dedicated program, which sits directly in front of your API and acts as an authentication proxy. Instead of needing to be compatible with the language and libraries used in your own software, it is compiled into a small binary with minimal dependencies. When an API request comes in from a customer, it validates a session token using HTTP headers, looks up the user, maps the organisations they are able to access, authorises their level of access, and passes the original request with additional headers upstream to your API. Then, your API uses this to process the request, handling it without having to consider such things as users or tokens. Tigrosa is able to handle many-to-many organisations and users, traditional password logins, and extra-secure passwordless logins via RSA key-pairs.
Where Tigrosa really comes into its own, though, is when your API is under attack. Not only are Tigrosa’s database queries individually optimised (updated for PostgreSQL 13), but a memory cache (updated for Redis 6) means most requests are handled without having to touch the database at all. This cache is LRU, allowing you to scale to more users and faster responses simply by giving it more memory. Tigrosa is written in Haskell, a statically typed and purely functional language, which gives a high degree of assurance as to the correctness of the code. Further to this, its automated test suite verifies various scenarios automatically. This makes it possible to concentrate on your API’s core functionality, without having to design, optimise, and test large sections of authentication and authorisation code.
Tigrosa 2.0 has been rebuilt from scratch, simplifying the installation procedure and standardising the interface. It provides a small, well-tested core, to which additional features can be added over time. I originally created Tigrosa to offload authentication from the Isoxya web crawler, and this new major version has been built to power Isoxya 2.0 (in development). For the first time, I’m also publishing Tigrosa’s API documentation publicly. Tigrosa is available commercially in a Pro Edition with on-premises licences; contact me if you’d like to discuss using it to protect your own API.