Architecture

The API Gateway will consist of a Kong Ingress Controller in the Kubernetes Cluster. Kong is extensible via plugins and will let us robustly configure the gateway.

Every service will have it ingress that will filter the requests by path. The paths will be:

  • /borrow >> borrower service

  • /auth >> identity service

  • /oracle >> price oracle service

  • /contract >> sc-monitor (view only functions from contract)

Each ingress will have the plugins configured as follow:

Drawing

Authentication (JWT)

The verify-jwt Kong plugin will check for JWT token validity in the Authorization Header. The JWT token has in its sub field the user id, the exp as the expiry date, and iss as the issuer. If the token is invalid, a 401 response will be returned. The gateway will send through this header to let the downstream services decode the token and get the user id. Downstream services will be responsible for getting the user ID and only letting the user perform actions in his data.

Rate Limiting

The rate-limit Kong plugin will be responsible of rate limiting the requests and safeguarding the backend. The request count will be stored locally to reduce latency (redis db can be implemented later on). The limits will be:

  • Authenticated:

    • 10 per second

    • 1000 per minute

    • 2000 per hour

  • Public:

    • 5 per second

    • 60 per minute

    • 200 per hour

CORS (Cross-Origin Resource Sharing)

The CORS Kong plugin will set up the CORS headers appropriately to improve security in the browser. It will be set up globally across the cluster.

PreviousAPI GatewayNextURLs

Last updated