I'm building a node.js application which serves publicly accessible https APIs.
Having said that, I want to build a middleware which should tell me the device type(android/ios/windows/web -> already done).
And if it's a mobile app accessing the APIs, I need to know app bundle ID as well e.g. com.awesome-app.app -> how to do this?
My goal here is to whitelist certain web apps and some mobile apps only.
So, is there any way I can find out mobile app's bundle ID like the way we can find out a website's origin in request headers?
Please let me know if there are other ways available to accomplish this instead of a middleware?
Thanks in advance!
Use of middlewares is the good option. I don't think there are any other ways to restrict or allow users. Using middleware is only and best way so far.
If you are just asking about your Node.js app so middleware seems to be the solution.
But you can use other services such as Apigee to filter requests.
If you don't have any authentication middleware, any app can fake the request to your app so any solution won't be good enough.
Related
I have developed my ethereum smart contract and I want to integrate it with my web application. But I don't know that is integration with ReactJS a better option or integration with nodejs a better one. Please give suggestions . Also I don't know how to do integration with backend through web3 library so please guide me about that.
When you are creating web3 app , most of the time you are not going to need a backend for that (Although you need a server to host your website) .
Working with and managing smart contracts are very easy at the front-end and there is no need for backend, but if your working on a large scale project , you are definitely going to need a backend for handling complex logics .
Next js is best option for both of that , containing node and react , also no need for manually configuring web server.
Better is next.js. I explained it here: https://ethereum.stackexchange.com/questions/129547/next-js-versus-react-which-to-use-when-for-your-dapp/130040#130040
Not every browser has metamask extension. By using next.js, when our
code is taken and rendered on the server, on the next server we can
reach out to the Ethereum network and do some initial calls like data
fetching, or alist of items in your smart contract. we execute all of
those requests on the server. That means when next.js produces Html
documents to send down to the user browser, it does not matter whether
or not users are using metamask. It does not matter whether or not
they have access to an Ethereum network. Because we already take care
of the data fetching for them. So all the users out there who are not
using metamask are going to see some information on the screen.
You've mentioned that you don't want to switch technologies, and while I agree with NextJS being a good platform to develop dApps on, I suggest you just use your current NodeJS server for anything that isn't web3 related and you use the web3js library from the frontend (your React) which would be very similar to a NextJS app anyway.
This way you don't have to switch technologies.
I am trying to create a general web service using Nextjs.
In my research, I often see cases where Express is used as the backend for Nextjs.
However, Nextjs has an api function.
In what cases do we need to use Express for the backend?
Well, you don't really need Express as the backend server. You should be able to use any framework from any programming language. I guess the reason that you often see it used is because it is the best documented.
Regarding api routes, you will always have to use some kind of backend server as it does not work with next export (aka creating a static folder containing html, css and JavaScript).
I'm trying to set up a server and react app to both serve from one place, and host from one domain. This gives me the advantage of one repo and being able to use server side cookies instead of auth tokens.
See also this link: https://dev.to/nburgess/creating-a-react-app-with-react-router-and-an-express-backend-33l3
I also prefer to use typescript.
I really think this would be a good approach, but it is hard to find resources. All courses, free or paid, are working with separate React / Angular frontends, which then need to fetch data from a backend on a separate domain.
Does anyone know a good resource how to combine a react frontend and an express backend and host it from one place? Or are there good reasons not to do that, which I just don't see at the moment?
I have a nodejs app deployed on AppEngine with IAP enabled, so right now access to its endpoints is protected against users outside of the project's IAM and I get the "x-goog-authenticated-user-id", "x-goog-authenticated-user-email" and another jwt assertion x-goog signed header, just like it should be (as detailed here https://cloud.google.com/iap/docs/identity-howto).
In certain AppEngine environments (so far Python, Java, Go) it seems you are able to use some already provided libraries to get more information about the user with Users API, however the nodejs page is disabled (here https://cloud.google.com/appengine/docs/standard/python/users/), there seems to be no indication of what should be done there. Any ideas?
If there is no straight forward way around it would I be able to have an app engine environment that also exposes for example the Python libraries for Users API so that I can wrap around them and use them in my nodejs app?
The Users API isn't supported for Node.js. Instead, you can get the identity from the x-goog-iap-jwt-assertion header.
We don't currently have a code sample for Node.js, though this looks like one reasonable approach. (Disclaimer: I'm not a Node user, and don't know enough about Node JWT libraries to endorse any of them in particular.)
Update for the current state:
There is currently a
Identity-Aware Proxy Documentation for Node JS.
I've been using ember, node, express since 2 months ago.
I've developed an small app, now it's time to add user auth to it but I can't figure out how to do this.
There are a few questions I have:
1.- In SPA apps, where there's only index.html, I include all .js ember files. So, the user could be able to see all the app logic without auth?. How can I add the libs only when the user has been auth?
2.- What's the right way to auth in ember? I haven't seen a solution in official documentation.
3.- How the frontend communicates with the backend, what's the logic here? It's in every route?
Also I'm looking for an example or tutorial.
Thanks you!
I believe these videos target exactly your question
http://www.embercasts.com/episodes/client-side-authentication-part-1
http://www.embercasts.com/episodes/client-side-authentication-part-2
just to mention a great resource for ember tutorials http://emberwatch.com/ - it contains screencasts, books, talks.. articles - all you need to get started.
There is nothing bad about "seeing logic", you are protecting data, not code. Still, if you really want to protect your code, you can create a separate login page and require authentication for every other resource (app html, styles, scripts, etc.). But protecting EVERY resource of your app means that you can't delegate handling static files to nginx or cdn or whatnot. So, think carefully.
There are to approaches: embedded authentication and separate login page. For the first one you can use https://github.com/Vestorly/torii or https://github.com/simplabs/ember-simple-auth. If you decide to go with the second, you can just use authentication provided by your backend (passport.js, etc) and redirect to login page on failures.
Nothing special, you just write your model methods and handle possible authorisation errors. You might also want to have a user object around to use in your template and route logic.