I have been grappling with controlling access to my HTTP triggered Azure Function endpoints which are hosted on a consumption plan hence my desire to ensure that access is limited to relevant users.
So, my first batch of API's were developed and I added an API Management Service to the array of services and locked down my Azure Functions by setting them to access level Function which is great. I then added a JWT policy to my API Management Gateway and this works great as my users each have their own individual token allocated by another application, so this is perfect as I know only authorised people are actually getting at my API's and costing me money!!
However the next phase is to move all of our Service Fabric API's to Azure Functions in an attempt to minimise hosting costs as we are in a position where we deploy applications and people may not actually use the API's at all hence a consumption based Azure Function approach should reduce our hosting costs massively.
However, today I was looking at how I restrict access to my new API's that are consumed by an SPA Angular app, and whilst the majority of these API's can only be access once the user is logged in I need to expose at least 3 API's specifically Login, Password Reset Request and Password Reset to the outside world as by their very definition the user has not yet authenticated!!
I could add a function key or have a master JWT token that does not expire but this would need to be stored in the JS application which is not particularly secure.
So my question is what is to stop a malicious attacker simply spamming my public API's night and day with the end result incurring additional hosting charges?
Am I missing something here or is this just how it is?