Application Programming Interfaces (APIs) have become the most common way how services „talk“ to each other, e.g. in a typical frontend-backend design. The plumber package offers capabilities to implement an API in R, making it possible to use R for software development use cases that often require security best practices. In my talk, I will show how we can use plumber filters to secure plumber APIs. I then present the sealr package (github.com/jandix/sealr) which provides standardized strategies for authentication and authorization, namely JSON Web Tokens (JWT) (implemented), OAuth2 and general API tokens (under development at time of submission). sealr is inspired by the manifold passport.js package for Node.js. The main functionality of sealr is verifying tokens sent to plumber – how those tokens are issued by plumber is not covered (yet) as it is highly application-specific. However, we provide implementation examples for each method.
As authentication middleware specifically developed for the plumber framework, sealr differs from packages such as sodium, openssl, jose and bcrypt that implement specific encryption and/or hashing algorithms. secret, digest and keyring are used for securely storing (R) objects.
With sealr, we aim to make authentication and authorization as easy as possible to implement for R users so that plumber APIs can be used in security-sensitive environments.