I currently have a node js server deployed to heroku. I want to restrict non-authorized domains from interacting with the API's. I know I can do this on the server side by either requiring authentication or by requiring specific request host. But is there a way to configure that on heroku? To only allow a specific server owned by me to call the node serer.
Heroku most likey adds an x-forwarded-for header to requests it is sending to your application. You'll want to get the first address in that list:
const ip = (req.headers['x-forwarded-for'] || '').split(',')[0];
Where req is a request object. This glitch demonstrates it in action.
Using this address, you can respond to traffic depending on its IP from your node server.
Related
How i red here, if i need to send cookie from nodejs to react application both app should be on the same port. Doing this on the server: res.cookie('token', token, { httpOnly: true }); i can send the cookies on front-end if i have the same ports, but here appear the issue if the both apps are on the same port, because if i access on front end for example http://localhost:4001/login and my server also is on http://localhost:4001, i can get the 404 error, because in this way i access the server route http://localhost:4001/login not front-end. Question: So How to solve this issue when the routes mess with each other and to be able to send the cookies?
One of the solutions is to use domains instead of ports.
For this purpose you can launch an edge web server locally (for instance Nginx or Apache) with port forwarding and set mapping from your domain to your localhost.
Also, you can use one of the plenty of services that can expose your local web servers to the Internet. Probably it could be the easiest one for you. Here is the sequence of actions then you can apply to resolve the issue:
Step 1
Run frontend and backend apps on two different ports, let's say 4001 for the backend app and 4002 for the frontend app. As a result of the step, you have to be sure that both apps are up and running and accessible via ports.
Step 2
Sign up and install https://ngrok.com/ or any other service which can expose your local app to the internet with a domain.
If you will choose ngrok, my suggestion is to write a configuration file and place it in the default location. (default location of config-file depends on your OS - here is the link to the documentation: https://ngrok.com/docs#config-default-location)
Here is the example of a config file:
authtoken: // place your ngrok access token here
region: eu
tunnels:
frontend_app:
proto: http
addr: 4002
backend_app:
proto: http
addr: 4001
Don't forget to place your authtoken, to get one you have to signup.
For more information about setup ngrok, please check the official documentation: https://ngrok.com/docs#getting-started-expose
https://ngrok.com/docs#tunnel-definitions
As a result after you launch ngrok you have to get the next output in the console:
Forwarding http://569de0ddbe4c.ngrok.io -> localhost:4002
Forwarding https://93b5cdf7c53f.ngrok.io -> localhost:4001
And be able to access your local apps via generated external addresses.
Step3
The last two things you have to do are:
Replace your API endpoint with an external URL (https://93b5cdf7c53f.ngrok.io in my example) in your frontend app.
Tweak res.cookie call in the backend app to make possible access cookies from both domains: res.cookie('token', token, { httpOnly: true , domain: 'ngrok.io' })
That's it. Now your apps are accessible from the Internet by different third-level domains with shared cookie between them.
I have 2 servers which I run as front-end and back-end server. I use rest api for calls and nginx as reverse proxy in both servers.
I want to restrict public access of back-end server (direct access), and allow access only to front-end server for api calls. Both servers have unique domain. By default if someone tries to get the url of backend server and opens, It should show some error 400 message.
I tried nginx deny and allow but not working.
What may be the best way to do this ?
By using Node and Express, can I allow only HTTP REST calling from a specific mobile app?
For security reason, I want to achieve these:
1. Allow only specific IP range. Since both of the app is hosted using Azure website.
2. Allow only connection from specific mobile app.
Use CORS or JSONP
In CORS
For example, to allow http://mozilla.com to access the resource, you can specify:
Access-Control-Allow-Origin: http://mozilla.com
You can check HTTP Headers to get the client ips, see here
Check the ip with your IP list and only return if it is success.
I have two apps, one front end and one a REST API back-end. How do I get the IP address of the user accessing the back-end when the front-end client makes a request to the back-end?
I have tried this.request.ip, but it shows the IP of my front-end site, not my actual IP address.
That would be in the HTTP incoming request object. I don't know what property in the object from the top of my head, but you'll find it in your route if you simply log the request: console.log(this.request). You can bypass Koa and get the raw Node request object with this.req instead - but I'm sure the client IP is available in the Koa request as well.
I want to build a node js internet gateway/captive portal. So I can have a user 'authorize' his mac address or ip address if the mac address is not possible like used for wifi hotspots
So what I have in mind is node can have a dhcp server and it gives its ip address as the gateway. So if the user loads a page on the web browser it gives them an authentication screen and they can then log in and the gateway can then route its packets correctly.
How can I do the authorization step with node.js so if they're not logged in it presents a log in page & if they are to route the packets correctly?
You need couple of pieces to put this together.
#1: http proxy - If you can run a DHCP server and assign IP addresses, then you can run and http-proxy to capture all internet traffic.
#2: You'll then need to add authentication logic to this proxy which can check for a cookie, magic packet, token or something that verifies access and lets them through or redirects to login page.
node-http-proxy is a very popular and flexible node http proxy server that you can easily add your own logic to.
node-http-auth-proxy is another such project with an example of how to handle authentication built in.
Having a proxy also allows you to whitelist/blacklist sites/IPs, something you may wanna do based on your target audience.