So i am making a social media like site where i use react for frontend and expressjs for backend...
I was using public api till now but now i need private api to control some login info. So, i cannot understand how to do it. Because the link where it will request can be viewed by doing Ctrl+Shift+I and can be used by anyone
I still have methods to do but just wondering, if any way to know where does the request comming from
Let assume that the api site is api.some.site and the main site is some.site, so the request should only come from some.site else send 404 response and i need to do it with expressjs...
I don't know how to do it but I wanted to give you some information to think about. If you want people to be able to log in, on your site. That api end point has to be unprotected, because a logged out person does not have any credentials yet. When logged in the user would be able to access protected end points right? End points like password change of viewing specific pages. So all the data an user should or should not have access to should be handled by the server. You website is only a mechanism to make your data look pretty and easy to handle. So in a way you shouldn't care about people using your open end points from another location because their open anyways.
Authentication should never be handled client side. It should always be handled by a server.
This is my opinion, hope it helps. Sorry if it's not what you are looking for
Related
So I'm currently building a really small app to prove a concept using Node, passport, and angular.
I'm having trouble trying to get the users information from the server to my front end because of the way that twitter authentication works. And I thought I'd reach out to see if any of you can help me understand.
Basically my problem is that I call my backend localhost:8000/auth/twitter and that redirects to the twitter auth page, and then calls a callback which is in my backend. At that point I have user data, and all is good. However I can't just send that to my frond end as I have to do a redirect.
If I redirect to my front end: localhost:4200/ I no longer have the session data that is included on the request from the backend. So I can't redirect to the front end.
I can redirect to a page in the backend, and I have all the data available to be, but that doesn't really help me as I need to send it down to my angular app.
What would be a good way of doing this?
Is it possible?
How can I make sure that the user that is using my site is authenticated when calling backend routes to do things?
Any help would be greatly appreciated.
If you'd like to see my code, I can show it but I'm not sure if it would help, as I'm just trying to understand a concept.
I am trying to understand on a high level how a system like coderpad works. Everytime I use Coderpad to practice interviews with friends, it creates a session with a temporary link that both users can access to start the coding interview.
When a someone goes to the homepage they would be served the standard html page/client for the homepage. When they create an interview session they are served the html page/client for the coding pad, and there must also be a way to users to connect to the same session and for each session to be an isolated instance? Im guessing that when each user use the link, the server process their request and based on the link, it actually set up a stream connection between the users so that they can collaborate on a shared document, share video/voice.
my questions are:
- how exactly is the temporary link created, and how can it be created so fast?
- is my understanding of how it works correct?
- Giving topics to look into that could point me in the right direction would really help
I got curious about this too, after an interview on CoderPad.io. I suspect the temporary links are just for the server to identify the session - not actual pages on the server. Probably using WebSocket to communicate between the server and clients, broadcasting back to all users whenever code is changed (or other events.)
The coding pad page is the same static HTML. The contents and users are modified on the back-end, and only the results are shown - like in a chatroom.
Hope this helps.
I'm making a REST backend for private use of our frontend, they will both be in the same server.
The problem is that I'm worried about security issues, I don't want a attacker to use the API directly, either by JS or by using other REST client.
Lets take this service as an example
http://myserver:8080/something/webresources/film
That's a service that allows to GET, PUT, POST, DELETE I want that only the frontend be able to use it, otherwise since anyone can see client-code it would be easy to get the endpoint and start putting or getting data. I do have BASIC AUTH so they would have to register and if they did something wrong I would be able to see who did it, but that doesn't solve the problem.
I could implement access control so that a user only could get/update/delete their own movies, but I would have to do that for every REST service(I have over 100 by now), plus I might need to actually get others movies
This is my first public project, I am really lost.
You can do it through your web server. I'm using Nginx. I have an if statement that checks the $http_referer. If it returns nothing, or the value returned is not my application/frontend page (meaning someone is trying to hit the api directly), it'll return a 403 forbidden page.
If your application doesn't send out emails to your users don't worry about the following: I added a block to allow access to my static images as the only exception, as my application sends out emails with images and I don't want them to break.
That's it. Problem solved. No one has access to my api except my frontend page/application, unless they can forge the $http_referer to match my domain which if they can do that then they deserve to break in.
Your only option to call the REST API from server side. You cannot hide from the users what's going on in their browser... You can have a layered application, so the frontend layer can call the backend layer on the server while the client can see only the frontend. (Check the layered system constraint.)
I have an action that retrieves some data from the DB and then I wanted to check that the data it have received is correct before it continues on with authentication. I am using invite codes to allow people to log into a public site that is for private corporate use only. I am able to get the data just fine, but the aftermodel is firing before the request is completed. I am making a call to an azure mobile service and the call is still in pending (according to chrome) when the aftermodel is firing off. Seems like it hasn't received the data at that point.
What is the best method to get this verification working properly? Once it verifies it would then allow them to log in with an external provider.
Please, look at this discussion: Ember authentication best practices?
If you don't need an Auth engine, then you could implement "verifying data" in beforeModel hook. Why beforeModel? Because if data is not correct, then app should redirect user to another page, and beforeModel is made for this logic: http://emberjs.com/guides/routing/preventing-and-retrying-transitions/#toc_aborting-transitions-within-code-model-code-code-beforemodel-code-code-aftermodel-code
I am developing a website in node.js and I am using Parse.com to handle the user registration and the Facebook users.
To handle the Facebook login with Parse, I have to use the line of code:
Parse.initialize(APP_ID, KEY);
which can be accessed by anybody by just looking at the source code of the website.
So my question is: if somebody has access to this information, can he access the data that I stored in Parse? he would just have to create some simple query, no?
I already initialize on the server side so is there a way to tell the template(jade in my case) that Parse has been initialized by passing some kind of parameters?
Thanks
If you set up ACLs and class permissions correctly in your app, then there should be no concern with handing out your JavaScript key. See this page for more information: https://www.parse.com/questions/javascript-sdk-security