A simple NodeJS proxy for my personal website built to keep third-party API secrets both secret and safe.

This is still very much a work-in-progress.

It currently proxies calls to Instagram's and LastFM's API with plans to support other services in the future.

Why didn't you just use THING-THAT-SOLVES-THIS-PROBLEM to do this?

Because I didn't want to. This is primarily a learning experience for myself.

NodeJS (Version 22.15.0)

The following environment variables will need to be assigned the appropriate values:

ALLOWED_DOMAINS
INSTAGRAM_ACCESS_TOKEN
INSTAGRAM_FIELDS
INSTAGRAM_USER_ID
LASTFM_API_KEY
LASTFM_FORMAT
LASTFM_METHOD
LASTFM_USER
NODE_ENV

For local development, these can be set up in a module located at ./modules/envVars.mjs. This file should contain the appropriate allowed domains, IDs, tokens, and other params necessary to communicate with the supported third-party APIs. NODE_ENV is only required on a production server with its value set to production.

const ENV_VARS = Object.freeze({
  allowedDomains: 'http://LOCAL-ACCESS-DOMAIN:OPTIONAL-PORT',
  instagram: {
    accessToken: 'YOUR-ACCESS-TOKEN',
    fields: 'id,caption,media_type,media_url,thumbnail_url,timestamp',
    userId: 'YOUR-USER-ID'
  },
  lastfm: {
    apiKey: 'YOUR-API-KEY',
    format: 'json',
    method: 'user.getrecenttracks',
    user: 'YOUR-USER-NAME'
  }
});

export default ENV_VARS;

Launch the index script using node.

$ npm run start

The server will be running at http://127.0.0.1:3001 with the Instagram API accessible from http://127.0.0.1:3001/instagram and the LastFM API accessible from http://127.0.0.1:3001/lastfm. The IP address and port can be configured differently by changing the values in ./modules/config.mjs.

Access to the API is restricted both by CORS and referer validation.