I have a node.js app which does authentication/authorization. I have an Azure Function which accepts auth token (validates and) executes the business logic behind (exposed through CORS). I have a static website with Angular app which redirects to node.js for auth, gets the token and calls Azure function (directly) with the same. For all subsequent requests from angular, we use the same token.
My fear: If any network sniffing tool gets hold of token, there could be a possible attack on our business, as the respective tool will have everything to execute Azure function(s) on user's behalf. I tested the same using cURL and was able to execute Azure function directly (with the token captured from dev tools).
Question:
Thanks
Are there any flaws in above architecture
Of course there are
If so, what's the best approach
There are plenty
If not, is my fear valid?
somewhat, but if you haven't screwed auth part you should be fine ;)
Is it a good idea to expose Azure functions directly to public (even though it accepts only authorized requests).
Sure it is. Simply do the auth before you execute any business logic. You have your auth done (hopefully right), you most probably pass the token (I assume sth like Bearer JWT token in the header) in the header of HTTPS requests, so it is encrypted all together with the payload (this solely makes it quite hard to sniff out). I assume as well that you hold it in some place with restricted access like secure cookie or alike.
One thing to consider which you have not mentioned is to have token invalidation (for instance when user logs out) and reasonable expiry times (ofc those depend on you use cases). Maybe add drop-all-sessions button. There are plenty of strategies which harden your apis but never really get you there.
As a side note
From the experience, if AAD B2C is an option I would go for it for managing end users. Integrates quite well with Azure Functions, gives you oauth flows can integrate with 3rd parties + a fair bit of libraries to integrate it with you stack (historically quality of those varied), you can force MFA and it gives you MS quality potato stamp. IIRC major downside of it is that EasyAuth of doesn't work in you local dev env so you have to mock it up somehow.