I have deployed an Angular 8 application and a Nest JS application using Heroku. Both deployments use https.
There is no authentication in the Angular application, so I don't need an authenticated user/password to call the API. I just want to make sure that the only calls that the API accepts are those from the Angular app (and rejects direct calls from people using some sort of REST client)
How can I ensure that only my Angular application can call my Nest JS API?
Related
I have a backend application(let's call it App A) with a grahql endpoint. It's a NodeJs with Nest framework.
The queries on the frontend are generated with codegen (https://the-guild.dev/graphql/codegen). Both frontend and backend are hosted together.
The calls from the generated queries are working perfectly, and they have a proper header for authentication.
Now, I changed my generated queries to send the calls to another backend app(App B), which should check for some user rights, and if the rights are correct should call next my backend app(App A), where the graphql endpoint is.
My problem is that this calls don't have any authentication headers anymore( the calls that reach App B form frontend), not sure how to generate them from my frontend.
I am developing an App which consists of a NextJS frontend and a Rails API backend.
There is this /api route from NextJS where I can put "server side code".
Should I use this feature by sending my frontend requests first to that /api endpoint and then to the Rails API endpoint or is "ok" to directly send the requests to the Rails API endpoint?
For me that looks a bit like a "jump around the corner".
Are there true benefits using the NextJS frontend -> NextJS API -> Rails API approach?
No
From next js docs:
Use Cases
For new projects, you can build your entire API with API Routes. If
you have an existing API, you do not need to forward calls to the API
through an API Route.
Some other use cases for API
Routes are:
Masking the URL of an external service (e.g. /api/secret instead of https://company.com/secret-url)
Using Environment Variables on the server to securely access external services.
https://nextjs.org/docs/api-routes/introduction#use-cases
https://nextjs.org/docs/api-routes/introduction#use-cases
I have an admin site that has a react frontend, using redux actions, with a node.js app as the server which uses firebase-admin to do the work.
I want to use firestore's onsnapshot listener. but im not sure how this works within the HTTP protocol?
I can't use the firebase-admin from my frontend app, and i cant create realtime DB functionality from the backend within HTTP protocol.
The goal: to set snapshot listeners on my collections from rreact frontend without having to go through multiple authentication processes, considering ive got a separate auth system for admins with my express api.
Is there a solution for this?
EDIT:
my client app is currently initialized with firebase web app config data, but because im authenticating admins with my own express server, the firebase web SDK hasnt authenticated with firebase, so i dont have permission for the data i need. im not sure if i need a service account, or a web app config with extra setup or what
My recommendation is to integrate the Firebase JS SDK into your client app using signInWithCustomToken().
It's not too complicated to do. Though I suppose that depends a lot on how your current auth setup works.
The general idea is this:
Send auth request to your auth service.
Process the request like normal.
Evaluate if the user should have access to Firebase.
If they should, use firebase-admin to create a custom token and send it back to the user.
Use the token on the client to authenticate with Firebase.auth
You should make sure to have Firestore rules to allow admin users to access the data you need.
As an alternative that doesn't use the Firebase client SDK, you could have a long-running node process that opens an onSnapshot. Your react app could receive data from it using either Server-Sent Events or through a WebSocket
I am new to GraphQL and seeking your help. Right now, We have React application which will talk to REST API which is developed in .NET Core. Now, we are going to introduce GraphQL between Client and REST API server.
I could not consume .NET REST API in GraphQL (resolver) using either fetch API or AXIOS because of Windows authentication. .NET Core is protected by Windows authentication with help of NTLM. What needs to be done to make API from GraphQL.
Do we need to captured Windows authenticated user information in GraphQL and pass to .Net Core API.
Have you tried httpntlm module?
https://www.npmjs.com/package/httpntlm
I am using Angular4 app for UI and I have a separate Node+Express app which handles rest api calls.
Angular app runs on a different port. and express app runs on a different port.
I try to use express-session framework on the server(express)app.
I use Microsoft ADAL services to authenticate the user. After successful authentication my approach was to make a rest api call from angular app to express server app by passing userEmail and set userEmail variable to req.session.userEmail. I expect the session to be available when a different route is being called to check if the session is available, but the session variable is always showing up as undefined.
What is the best solution here? My goal is to have a session management and prevent responding to unauthorized requests on the server side rest api calls.