Does NestJS handles some security practices out of the box?. If not, what recommendations can you share to secure a NestJS application besides helmet? I see in the NestJS middleware docs an example using the helmet dependency.
When using TypeORM, SQL injection is covered?
Nest doesn't bring anything else than an actual HTTP provider used underneath (express/fastify). In order to stay flexible, we didn't decide to force anyone to use particular tools. Instead, you can choose whatever you want.
In terms of TypeORM, as far as I know, the SQL injection is prevented.
NestJS follows mostly the same security rules as the Node.js server and Express.
NestJS has an dedicated security section in its documentation that addresses these topics:
Authentication
Authorization
Encryption and Hashing
Helmet
CORS
CSRF Protection
Rate limiting
When it comes to protecting against SQL Injection, I think sanitize input and parameterized statements are the most important.
Overall, however, it is most important that programmers do not cause security holes through code and architecture, but follow with good security practices and as administrators to expose to production hardened services with the least privileges. It is important to educate ourselves in this area all the time.
Related
I'm an experienced Ruby (Sinatra, Event Machine, Warden, etc) developer and have decided to teach myself Node.js
I've written enough Node now to feel very comfortable with it, and now I'm feeling a bit more ambitious. I would like to wire a simple Sails.js app and a forum built with NodeBB together such that my users can sign into one and be automatically signed in to the other.
I'd like those users to have role-based authentication for access to various parts of the Sails app and also of the forum, so they'd need to share a common RBAC model.
Is Passport suitable for this? And if so, do you have any links to examples?
To persist sessions across requests, Passport relies on Connect, which in turn relies on encrypted cookies containing a connect session id. To use the same sessions across multiple applications, you will need to synchronize your Express / Connect cookie parser and synchronize or share your sessions and user models. You would need to use an external session store (like Redis or Mongo) and probably separate your user database from the individual application databases. Additionally, you would need to copy and paste the cookie parser secret into each application.
It's not really the best approach, though. The maker of Passport also published an open-source OAuth2 Server, which you can use (in combination with Passport's OAuth 2 authentication support) to provide authentication for all the applications you want to tie together. This is a much more robust and scalable solution to your problem, as you won't have to worry about synchronizing secrets and sharing databases. Additionally, it would allow you to write any kind of application you want (not necessarily in node) and still implement shared single sign on.
(If that still sounds like more effort than it's worth, you can always just use an external identity provider. Google-account based OpenID requires no setup, integrates seamlessly with Passport, and lets Google do all the work.)
I'm currently building a new web-application with user registration, profiles, image upload and so on. I was using the MEAN stack (MongoDB, ExpressJS, Angular, NodeJS) for previous projects and now want to try out couchDB.
couchDB delivers a REST-API for free. I could shift all the logic to the client and make sure, that the input is valid by couchDBs validation functions. Therefore I could make the requests from client directly to the database and I would not have to code annoying things like CRUD Operations in my expressJS controllers. Authentication, Validation and simple CRUD operations - it's all there and for free.
Is there a reason not to do so? I would then pass the request to my server and then pass it on to the couchDB from there, which pretty much eradicates all the nice benefits over mongoDB.
greetings,
Michel
I think your proposal is at least theoretically true and you might want to go ahead and do it, perhaps forwarding requests from the browser to couchdb with a reverse proxy like nginx or node-http-proxy. I believe there are products on the market espousing this "no application server" architecture such as parse.com, which provides some social proof that this idea is at least interesting and worth exploring.
However I think you will at some point discover there is such a thing as an application server and people use them and write code for them in nearly every application for good reason. Debugging problems with your couchdb data validation code is probably going to be cumbersome at best. Compare that to the amazing features you have debugging node.js code with node-inspector and the chrome developer tools debugger.
couchdb is also probably not going to provide realistically granular enough authorization capabilities. This means eventually your application will be exposed to malicious users just doing a PUT with the right document id and gaining access to data they are unauthorized to see or change.
Very few applications are simple enough that UI + DB can handle all of the data transitions and operations that are needed. You could in theory code some of this logic in the browser, but having the Internet between your compound query logic and your database is going to add so much latency to your app to make some features impossible, especially if you have to do a query, get some results, then do a secondary query based on each of those results. That is sometimes feasible between a server-side application and its couchdb, but doing that across the Internet will suffer from the latency.
Is there any point using Passport for Node when there are no plans to integrate external API's like Facebook and Twitter?
I'm looking at arguments for implementing any of the so-called 'strategies' for a generic authentication system in my own application. Or is the only point of Passport to utilise specific authentication strategies from other API's?
Is there even a strategy that acts as a placeholder for future API integration if one was later required?
Is there even a strategy that acts as a placeholder for future API integration if one was later required?
Yes, there is passport-local.
Is there any point using Passport for Node when there are no plans to integrate external API's?
IMHO if you don't need it, leave it out. YAGNI. Fewer dependencies is a good thing. When you need it, it is simple enough to add. I also think social login is/was largely a fad that was pseudo-required at one point but these days many people are over it.
At this point, I'm convinced that declarative bindings backed by a robust data query service is the secret sauce for writing scalable rich client applications for the web.
Obviously there are many options for declarative data binding (Knockout JS and Rivets for Backbone to name just a few). However, when it comes to querying the server, caching data and tracking changes on the client, the only modular solution that looks half way mature seems to be Breeze JS. And yet, while it claims not to dictate server technology, all documentation examples show Breeze running with .NET.
What requirements, API-related or otherwise, must a server fulfill in order to serve as an endpoint for a Breeze application? Is implementing the OData protocol enough? Are there any examples out there to light the way? Or other libraries solving this problem that I've missed?
you can use nodejs as an oData server with JayData
http://jaydata.org/blog/install-your-own-odata-server-with-nodejs-and-mongodb
it's free and open source
Yes, OData is sufficient. However, we are still working on OData save support (querying is fine, of course).
Sorry for the delay in getting out non-.NET samples. We are definitely committed to an open, pluggable back-end and will be releasing more samples in the next few weeks.
Also, please vote for these features (or submit your own) on our UserVoice feedback page. This helps us prioritize what to work on next. Thanks!
I have a mixed UI (Win App, WPF App, and soon an ASP.NET MVC App) setup, so far I'm using Client Application Services for security. I know how to programmatically get a user authenticated and doing so is working beautifully. However...
I want to implement some cross cutting that basically checks to see if the user is authenticated all the time. Since everything will be accessing web services I want to enable this as a standard execution for pretty much everything the UI does. So far I'm thinking the PIAB - Policy Injection Application Block - will serve that function. What I'm wondering is two things;
1 Will the PIAB cover that needed functionality? Verifying authentication at every practical step if used against the UI?
...and...
2 Are there alternatives out there besides the PIAB? I'm curious to do a comparison of aspect oriented policy injection frameworks.
I'm not really familiar with Client Application Services but from my experience, most AOP frameworks wrap interfaces in order to implement the cross-cutting functionality. If CAS uses interfaces, you could probably just wrap them with what ever functionality you require.
Alternative AOP frameworks:
Spring.NET
Castle Dynamic Proxy
Spring.NET and Dynamic proxy seem to work in much the same way and have much the same performance in my Hello World type tests (about half-way between direct calls and invoking through reflection). PIAB is significantly slower than both these frameworks and I found bit more verbose. It does have the ability to be configurable via xml and I'm not sure if that's a good thing or not. Not sure if the other frameworks provide that. It does of course have the MS stamp of approval though :P.