I've recently built a REST consuming web-app with a user account system. While I'm choosing not to store sensitive data such as passwords (using Google/Facebook), I'd prefer to prevent just anybody from accessing the REST endpoints. What are some good ways of doing this? The app is using the MEAN stack.<p>Also, security is REALLY not my forte, and this side-project isn't monumental or anything, so I'm willing to sacrifice some security for brevity and ease-of-use.
Usually you put a filter mechanism so some endpoints are restricted. This checks for a valid token sent by the client (by sending it back to facebook). If you find this procedure slow you can also use good old sessions (although some people consider this stateful and thus not appropriate (I am not in this camp).
If your API is meant for other developers to build-upon, you use public-keys and registration, just like how you registered to use Google/Facebook login.<p>You should also sanity-check your GET/POST requests, to make sure they contain ONLY what is allowed.<p>There are many other things you can do, but I can't think of them right now.