I am building a website. This site's front-end page needs to get/post data via
AJAX from/to server, and the server provides the same APIs to other apps(private apps, not public, under the same 1st class domain).
POST /api/users is used to create a new user. The site will provide a register page, which will use this API to register user(via
AJAX). I want the other apps to also be able to use this API to register user.
In general, I use hashed string to authenticate the request from other apps. But I don't think that I can do the same thing for the front page.
I don't want to use two different APIs for front page and other apps separately. So how can I do this?
I am using Node.js and Express.
I recommend using a combination of APIs. Login a user or creating a user should return a Session token. Then, every subsequent request should include that token. The other APIs on your server, should not allow requests without a user session token. So, when a requests comes in to eg: /app/data, the server looks up the session token (usually sent in a header) to verify the user exists and is logged in.
This typically works in a mobile app with website scenario because users will have to register via the website. Therefore, the registration API is restricted to the website by way of disallowing CORS for the registration API, but allowing CORS for all other APIs in your server. As long as they look up the Session token to verify it is valid, then I don't think there are too many security risks there.
A more advanced and secure approach would be to secure the API with OAuth 2. Since you own the server, it would be quite easy to register user via an OAuth 2 handshake from both website and mobile app.