Note: Plenty of battle hardened users here, who may have crucial advise, but here is mine.
I want community inputs on if we can use Node red for these purposes?
I could achieve basic CRUD operations but then any other complex things can be done?
Sky is the limit, as long as you address any hurdles/shortcomings, I can't see why not.
Under normal circumstance, this should not be a problem, but keep in mind JavaScript is single threaded,
If Yes, What are the best practices involved or should be considered?
I wouldn't put Node RED at the front, I would use something like NGINX, this gives you access to throttling, MUCH MUCH better security, and more to help protect Node RED
I couldn't create a custom middleware to authenticate.
Still worried about the security measures associated with it.
Unless you are a security expert - try to use something that is tried and tested, NGINX is used a lot for both the SSL layer and Authentication.
You can use it for anything that you like that is legal and your organisation/customers permit you to.
I personally think that Node-RED certainly has a place for API management. Though noting that it will never be the most efficient method due to the overheads of running a mostly single-threaded high-level scripting language with a bunch of additional visual processing overheads.
But don't get me wrong, Node-REDs performance is pretty good - plenty good enough for many things. But it carries a fair bit of baggage if you were needing to minimise resource usage for whatever reason such as:
Cloud computing costs
Environmental, "green" concerns
Limited compute hardware
Very large scale
Too much depends on your requirements to give much detail but I'd at least say, keep your flows as simple as feasible. Keep them neat and commented so that others can understand them. Decouple where you can - don't create tightly coupled flows.
But there are lots of standard things around security, failure modes, scalability, etc which would apply no matter what tool you were using.
Yes.
I would recommend not using Node-RED for authentication. Even though you can do it, trying to squeeze authentication and authorisation into your API processing tool does not necessarily meet reasonable separation of concerns.
Better, in my opinion, to use a separate proxy with a proper and scalable IDAM architecture.
Good! Too many people do not. Use a battle-hardened set of security and IDAM tools to give defence in depth.