ADR-0029 Proxy Calls to Mallzee API

Publication Date2021-11-24
Last Update2021-11-24
StatusAccepted
ReferencesADR-0011 Mallzee Api

Context

The Mallzee API requires an API key for authentication. This will be a long-lived key that we store in the Google Secret Manager.

In both the VR Designer System and Dress Me Up System, the Mallzee API is called by a Cloud Function triggered on updates to the Data Store, but in Magic Mirror System it is called directly by the mobile app.

While the Cloud Functions have access to the API key in the Secret Store, the mobile app does not have access to an API key (we do not want to expose the shared API key to the end-user application).

Decision

We will implement a Cloud Function to proxy calls from the mobile app to the Mallzee API.

The mobile app will use the user’s Firebase id token to authenticate to the Cloud Function, and the Cloud Function will use the shared API key from the Google Secret Store to call the Mallzee API.

Consequences

We need to implement one more Cloud Function.

We need to update the architecture diagrams to show the use of the Secret Manager in use cases 1 and 2, and to add this new cloud function in use case 3.