DEV Community

How To Write Your First HTTP Request to NASA

👩‍💻Tracy A King on August 03, 2019

I’m excited to introduce you to HTTP requests and provide you with tools and resources to get up and running. Learning how to work with APIs is a ...
Collapse
 
erebos-manannan profile image
Erebos Manannán • Edited

This really highlights why you really should avoid giving frontend programs access to your API keys and other such tokens and always route requests via your backend.

You give access to your API keys and other secrets to the frontend and literally anyone can see them.

You should
1) Better block out your API key from your screenshots
2) Remove it from your example code
3) Get NASA to invalidate that one and issue you a new one

Edit: I guess the example codes use some demo key, that's probably fine. The screenshot is still easily readable.

Collapse
 
stacktracy profile image
👩‍💻Tracy A King

The credentials have been invalidated as an extra precaution but thank you!

Collapse
 
amazingdev profile image
Amazing Dev
  • This is not an issue if API tokens are restricted by domain.
  • There is nothing wrong with accessing the API from the frontend on its own. In some cases, it's even better (eg. when you don't want to put too much load on the backend, or you don't need to log metadata about these requests)
  • However it is true that more information is exposed, thus some thought should be put into how this can be abused, and how to prevent that.
Collapse
 
erebos-manannan profile image
Erebos Manannán

When you say "the API" you probably very specifically mean this API specifically, there's a lot of other APIs that would require you to actually keep your credentials secret, when they e.g. result in billing events. This is why it's a good practice to avoid doing things like this on the frontend.

If your requests are causing too much load on your backend, just think what you're doing to other peoples' backends. Logging etc. is of course configurable, by you.

Collapse
 
stacktracy profile image
👩‍💻Tracy A King

Yes!!

Collapse
 
andrewbrown profile image
Andrew Brown 🇨🇦

This is really cool. Just having interesting data to work with for BigData or ML purposes is fun, and since I like Star Trek it plays in that theme very well.

Collapse
 
alejandra_quetzalli profile image
Alejandra Quetzalli 🐾

OMG HOW COOL IS THIS?!?!

Collapse
 
jonrandy profile image
Jon Randy 🎖️

Might want to blur those credentials a bit more

Collapse
 
stacktracy profile image
👩‍💻Tracy A King

The credentials have been invalidated as an extra precaution but thank you!

Collapse
 
emmabostian profile image
Emma Bostian ✨

I freaking love NASA! Great job!

Collapse
 
stacktracy profile image
👩‍💻Tracy A King

Thank you!!

Collapse
 
rey profile image
Rey Navarro

This is so cool! thanks for sharing 🙌🏽🙌🏽

Collapse
 
edisonpappi profile image
Edison Augusthy

Let me hack NASA now

Collapse
 
lawrencejohnson profile image
Lawrence

Unless this is specifically for node, using JS to interact with an API using a private API key exposes it to anyone viewing the page. The proper way would be to use server-side processing.

Collapse
 
demonwolffang profile image
DemonWolfFang

Hi, this may sound very dumb. I'm using the NASA API for a Bot on Discord, how would I go about using this? I'm having very much troubles with it.

Collapse
 
stacktracy profile image
👩‍💻Tracy A King

Oh no! Sorry I am just seeing this 🤦 This isn't dumb at all. What are you trying to do specifically? I haven't worked on bots before but I'm happy to help if there's something I can answer for you!

Collapse
 
erebos-manannan profile image
Erebos Manannán

You really should pixelize those credentials a bit better.

Collapse
 
stacktracy profile image
👩‍💻Tracy A King

The credentials have been invalidated as an extra precaution but thank you!

Collapse
 
erebos-manannan profile image
Erebos Manannán

... also your API key is still in the example code.