What’s the best way to authenticate REST requests to a cowboy server existing on the public internet? (Meaning: NOT shielded within a private VPC/API Gateway–requests are made directly to its host/public ip address).
I’m afraid it strongly depends on the details of what you’re trying to do. Basic auth, API key, oauth, JWT are all possible choices, and more! Since cowboy is a general purpose HTTP server, any of these is doable, with differing degrees of difficulty. It depends on what you’re trying to protect and from whom.
Let’s say I wanted to enable basic auth keys and/or JWT tokens, is there a requirement to maintain some form of backend that handles token refreshes/revocations/verifications? Or does Cowboy do this out of the box?
As far as I know there’s nothing out of the box in cowboy.
Basic auth is pretty easy. Here’s a good example I found.
A JWT can be validated with JOSE. It’s more involved but very reliable once you get it set up. And has some added security benefits such as an expiration. Generating the JWT is a client side thing so it depends on what language your client lives in. If it’s Erlang then you can also use JOSE