#
20231030 Rocket Reverse Proxy for Commercetools API
Date: 2023-10-30
#
Status
Accepted
#
Context
Rocket provides a reverse proxy for communication between the frontend and the Commercetools API. This is necessary to avoid exposing auth credentials in the frontend, since the Commercetools SDK is not intended to be used in the frontend. Any request that is routed through a proxy can be modified before it is routed to Commercetools. This provides flexibility, but also means that there is always an additional request.
#
Decision
We decided to run all requests through the proxy so that the auth credentials and access tokens and refresh tokens are only stored in a secure HttpOnly cookie. In addition, the AuthMiddleware of the SDK is now moved on the proxy. We made this decision because we put safety above performance. As long as Commercetools does not provide a secure SDK for use in the frontend, we do not see any other option that provides sufficient security.
#
Consequences
The access token and the refresh token are no longer exposed in the frontend. The number of requests is almost doubled.