I'm trying to do this.
I need to push data from NodeJS (backend) to Angular (frontend) without any explicit request from Angular to NodeJS.
I was thinking of making an API request to Angular from NodeJS and Angular would listen to the API request via a Service and fetch data accordingly.
I'm not sure whether this is the right approach or is it possible in the first place, could someone guide me in the right direction?
Edit:
I'm trying to implement this for multiple Social Media Integrations in a One Page MEAN App. On button clicks, users get redirected to respective Social media authentication pages, after successful authorization, I'm able to fetch the accessTokens in the backend. I'm confused about how to send the data to frontend without passing the accessTokens in URL parameters.
Is there any other approach to implement it in a MEAN app?
I think you can use socket module for pushing data from Nodejs to angular.
The socket module provides emit and on methods with the help of this you can broadcast data or send in the request also generate your own event please check this for more information
you should use tokens as like JWT (passport JWT strategy) and pass it to the client and store it in a cookie / local storage. you can use these tokens to protect api's and/or socket.io connects. after that you do whatever communication you want. the client needs to open the connection to the server (via pull or websockets) or you need to use some form of push service. The reason is, that for many clients they are behind address translation and cannot be reached directly.
Related
I’m using Node and Express for the backend of a mobile app (Flutter).
I’d like all authentication REST facing the client to be auth0’s, since they can handle attacks and security in general much better than me.
Sign Up -
Client sends a request to a signup endpoint on auth0’s server, with custom fields in addition to the existing ones.
On authentication success, auth0 sends an s2s to a signup endpoint on my server with the signup data, as well as a JWT token containing the auth data.
Auth0 incorporates the data responded from the signup endpoint on my server into the response to the client.
Sign In - Same as Sign Up basically, except there’s no need to accept custom fields from the client.
If such a flow is possible, can you please refer me to the relevant docs or otherwise help me understand how? Example implementations in node/express would be much appreciated as well.
As christian mentioned in the comments, you can use a post reg web hook. In addition, because hooks do not support social connections, you can use a rule to send a request to your server to create the user in your db. You can add a flag to the user's metadata to determine whether or not this rule runs.
https://auth0.com/docs/hooks/concepts/post-user-registration-extensibility-point
Here is another strategy: https://community.auth0.com/t/distinguish-between-first-login-and-silent-auth/32986
Let me know if this makes sense.
I have a React front-end that calls REST APIs. The front-end and back-end are hosted on different servers. It's a simple application so I don't want to implement User accounts/API keys. How do I secure the backend so that it could be only used by my React front-end.
you cannot, the only way that I see could come close is by generating a token that's embedded in one of your static React files and validate that token upon request (for every instance downloaded by a user), but it would be impossible to prevent an attacker from fetching that file/token and call the backend APIs with it. The only way to protect a backend is via user login/2-legged OAuth.
I'm working on an application using sails. web and mobile.
I want to use CSRF protection that sails provides when the app is visiting on the web. And if a request is send by the mobile app. send with the payload a jwt.
On the sails' documentation I found a property csrf.routesDisabled that disabled the CSRF for some routes. But that is not what I want. I'm trying to find a way to for example, check if the parameter jwt is send in the post request. And if the parameter was send then check and validate it. else, check for _csrf value of the form. Is this possible?
or the csrf protecction works before any information is send to the server?
my better choose is use jwt in the web app too?
any other good idea for solving this problem is welcome
thanks
Sounds like you've built the web app with SailsJS and you're trying to reuse the controller actions as REST endpoints for external applications.
Really what you should do, is decouple the data access from the front-end. Have an isolated REST API - using token authentication - which is used by both a web front-end (and any other applications).
For example, I'm currently working with a SailsJS REST API, used by an EmberJS front-end and an iOS app. Both front ends login using user credentials, in order to receive an authentication token. This token is then used for any future requests. A policy locks down all but the login authentication endpoint, to validate the token
I can't seem to find anyone with the same issue - although I might have googled using the wrong questions.
I'm building a react app with server-side rendering. There is also another server which handles the entire API.
Here's the scenario I need to get working:
Initial website request initiated from user.
UI server loads the user from another API server
UI server then pre-renders all react components including the fetched user and sends it to the user
React component in browser needs to be able to fetch updated user information (from the api server, not the UI server)
So the problem is that I need to share the same session ID between the browser and the UI server.
I imagine it would work like this.
UI server requests user from API server.
UI server remembers session id from initial call and sets the cookie
Browser uses the set cookie for all future api requests and page refreshes
Is this achievable?
I would recommend you to use JSON Web Tokens instead of cookies. You can share the token in all of your services. It is the best way to authenticate user to use different apis at the same time.
Here is detailed tutorial for Node/Express
I have created a simple REST api for my application using node/ express. I am using AngularJS on the front end to serve pages to the user.
I would like to add functionality such that the API can only be accessed via my front-end and anyone should not be able to do a GET/POST request to my site and get the data?
What strategies can I use to achieve this?
HTTP request can be formatted and sent to sever by many other means beside a browser (curl for example), so any server always detecting correct source of a request is not guaranteed.
The basic method to protect an endpoint would be to use some kind of authentication. The requesting client must present something uniquely identifying it. API should provide clients a token after it proves itself authentic (via login etc), and all subsequent requests would be checked for this token.