I have trouble importing and using Nano library for CouchDB in nestjs, or I am doing it wrong.
The URL needs authentication credentials.
I need to know a safe way and a practical way to start with CouchDB in a nestjs app (maybe some npm package that will do the heavy work). Also, in ASP.Net Core, for example, there is a connection string property in the appsettings.json. Is there something like that can be done with nesjs and Couchdb (URL with credentials and everything required to connect to couchdb), something like a configuration file for the database connection?
Isn't there a module to import, or is it not necessary?
Maybe I can't see the forest for the trees.
Related
I am developing an electron app that connects to a remote couchdb database using a connection string which contains the db's username and password, something like https://admin:admin#IP:PORT
But I do not wish to reveal the database credentials in the electron app due to security reasons, is there any way I can:
a) Either store the aforementioned db url in a secured way inside the electron app?
b) or, create a nginx proxy at my server's end that will help connect my electron app using a proxy url without revealing the db username/password?
I also have some secret third party service keys (bugsnag key etc etc) in my electron app that I need to store securely, please suggest a way to do so.
PS: I am using electron-builder to package my app.
Thanks in advance
There is npm module that for storing the security information at Electron app.
Please have a look at keytar module that developed by atom
But anyhow, after packing the app using Electron-builder then this encrypted data will be stored inside of your Electron app resource or somewhere. Such in asar package, Application Data or somewhere Else.(I'm not sure where it is since I've not attempted to find this data location.) Even though the data is encrypted but anyone can access this.
You should use the right method to encrypt so.
I really like the Wolkenkit server but when I looked at the client library it seemed a bit too opinionated and I might be using graphQL -- which I think will work well to wrangle all the read models. In that case, can I just use the server with http? What would be involved with that?
Basically, you can access wolkenkit using HTTP or web sockets directly, without the need to use the JavaScript client SDK. All the client SDK does is wrapping the HTTP respective web socket calls in a convenience API.
The server is built upon tailwind, which is a base module for applications built with CQRS in mind. The best place to start is to have a look at the HTTP server API of tailwind, which is used by wolkenkit. There, one could also add a GraphQL endpoint.
Please note that I am one of the developers of wolkenkit, so please take my answer with a grain of salt.
When I'm connecting to database in node, I have to add db name, username, password etc. If I'm right every user can access js file, when he knows address. So... how it works? Is it safe?
Node.js server side source files should never be accessible to end-users.
In frameworks like Express the convention is that requests for static assets are handled by the static middleware which serves files only from a specific folder in your solution. Explicit requests for other source files that exists in your code base are thus ignored (404 is passed down the pipeline).
Consult
https://expressjs.com/en/starter/static-files.html
for more details.
Although there are other possible options to further limit the visibility of sensitive data, note that anyone on admin rights who gets the access to your server, would of course be able to retrieve the data (and this is perfectly acceptable).
I am assuming from the question that the DB and Node are on the same server. I am also assuming you have created either a JSON or env file or a function which picks up your DB parameters.
The one server = everything (code+DB) is not the best setup in the world. However, if you are limited to it, then it depends on the DB you are using. Mongo Community Edition will allow you to set up limited security protocols, such as creating users within the DB itself. This contains a {username password rights} combination which grants scaled rights based upon the type of user you set up. This is not foolproof but it is something of protection even if someone gets a hold of your DB parameters. If you are using a more extended version of MongoDB then this question would be superfluous. As to other DB's you need to consult the documentation.
However, all that being said, you should really have a DB set up behind a public server and only allow SSH into it, with an open port to receive information from your program. As the one server = everthing format is not safe in the end run, though it is fine for development.
If you are using MongoDB, you may want to take a look at Mongoose coupled with Mongoose Encryption. I personally do not use them but it may solve your problem in the short run.
If your DB is MySQL etc. then I suggest you look at the documentation.
I need to intercept a specific request coming to my Node Server and introduce Kerberos Authentication right there.
Suppose if a request comes for /names/ ,I need to first Kerberos authenticate it and only if it authenticated successfully, I will proceed to fulfill the request.
I have one .keytab file which in my knowledge has the principals and encrypted keys which I need for authentication.
QUESTION: How can I read the .keytab encrypted file on Node JS?
I have looked into Node packages like node-krb5 and node-passport but couldn't find a way to read my keytab files
Please assist if you done something similar.
Thanks.
You should look at the node passport-negotiate module which implements server side kerberos ticket authentication checking. There's a sample "login" app in the module which demonstrates how to use the module, and if you look at the strategy.js you should see how to use the underlying kerberos support, should you want to bypass passport and do authentication directly.
The actual server-side kerberos functionality is part of npm kerberos module.
I looked at the source for node-krb5 and that's fairly useless. All it does
is more or less what kinit does.
My guess is that you would need a node implementation of SPNEGO which a web authentication protocol that uses kerberos. None of the things in your list
do that and it's not a trivial thing to write.
I'd suggest you look into putting a server that does support SPNEGO in front
of your node application.
I want to implement profile pictures (avatars) as simple and safe as possible, i'm using express+passport+mongoose+socket.io, all the latest versions.
As I have no experience with such functionality, and after few hours of intense googling, i still have no solid idea where to start and how to make it cosy and simple, yet safe.
The question is about how one implement user's usage of avatars in web app, via file uploads, or via something like gravatar, i really need an advise on where to start
express + passport + mongoose, seems to be a good option.
First you need to persist the data somewhere, that's where MongoDB is useful. With Mongoose ODM you can create your models to perform easily CRUD (Create, Read, Update, Delete) operations.
Then you need a server that comunicates with the client and the database. Express is a Node.js framework that makes really easy to set your session, routes, etc.
The users gotta authenticate before avatar is send, so Passport is a library that helps and it can be easily set up with express.
Socket.io, is a node module that creates a persistent connection with client so they can comunicate in "real-time". I don't think it will help much to your project unless you're planning that the avatar image change in real-time when updated.
I suggest you start by setting up your Express and the authentication with Passport