I am trying to understand the following security aspect:
If I understand it right, in PHP the URL is routing directly to specific files on the server. e.g. https://mypage.com/secretFunctions.php will route to secretFunctions.php. If I protect this route trough basic authentication, the authentication will happen before the file is processed and served to the client. In result, only the authenticated user will ever get to see the rendered content.
In case of a client-side node.js app, the whole App.js code is sent to the client and processed there. The URL is always pointing at the same file. The routes defined in that file determine which code snippet will be executed and rendered. Even if I protect any specific route by any kind of authentication, the user will get the whole code anyway.
Is there a way to prevent this? To prevent clients receiving the private code of private routes, as long as they are not authenticated?
In node.js the whole App.js code is sent to the client and processed there.
No, that is not how it works at all. When you run node.js and code on your server that code doesn't go to the client - ever. It just runs on the server. The client has no access to it. If you run your node.js app with the command line node app.js, then the node executable engine is run and it executes app.js on the server.
In a node.js server, you would not typically define private routes and expect to use them only from your server implementation with no client access. While, it can be done (using some form of authorization token that only the server knows), you typically wouldn't use a private route at all on your public server. Instead, rather than requesting a private route on your own self, you would just put the relevant code in a function and call that function directly. Then, it's entirely private to the server implementation.
Then, app.js would start an http server process and define routes that it wants that server to handler. When a client comes along and requests a route from the server, then the app.js code (or other modules that it loads) will parse the requested route, map it to a defined handler for that route and execute just the node.js code that is supposed to process that route. When it's done processing that route, it will send a response. Depending upon what type of request it is, that response might be a web page that the browser will parse and display or it might be a piece of JSON that is the result of the request or it could be any number of other data types.
The only code that is sent to the client is Javascript code that is embedded in a web page and specifically meant to run inside the browser. That would not be node.js code and is not your server code. That would be browser Javascript just like one would use with any back-end framework (node.js is no different than any other framework in that regard).
Is there a way to prevent this? To prevent clients receiving the private code of private routes, as long as they are not authenticated?
This part of the question is mostly just misguided as it seems to be based on a misunderstanding of how a node.js back-end app server works. You prevent code going to the client that shouldn't by not sending it to the client in the first place. The client can't see anything from your server that you don't specifically have a route to handle and send a response. By default a node.js web server sends NOTHING to the client. No pages are sent by default. So, the only thing that is ever sent to a client is a response that you write code specifically to send. Note, this is different than other back-ends (like Apache) that may be configured to automatically send lots of things that are requested.
If I understand it right, in PHP the URL is routing directly to specific files on the server. e.g. https://mypage.com/secretFunctions.php will route to secretFunctions.php.
That is PHP. That is not how node.js web servers work. For the route https://mypage.com/secretFunctions.php to respond at all to the client, you have to define a route in your server code that was specifically coded to respond to the request /secretFunctions.php and then you'd define what code should run on the server when that request is received. No code is sent to the client unless you specifically write code in this route handler to send code to the client that you want to run in the browser.
Let me show you a very simple node.js app that responds to three routes (and only three routes). Let say this is app.js:
const app = require('express')();
app.get('/', function(req, res) {
res.send("Hello");
});
app.get('/name', function(req, res) {
res.send("My name is Bob");
});
app.get('/city', function(req, res) {
res.send("I am in San Francisco");
});
// start the server
app.listen(80);
You start this server with node app.js. When it runs app.js, it initializes an instance of the express framework, registers three route handlers and then starts the web server.
Now, you have a running web server. Suppose you have a web browser running on the same server and you type this into the URL bar: http://localhost. That will trigger the '/' route handler and will display "Hello" in the browser.
Then, you type http://localhost/name into the browser. That will display "My name is Bob" in the browser.
If you type any other route besides these three that are defined here, nothing will be sent to the browser. It doesn't matter if there's a contacts.html file sitting in the same directory. If there isn't a specific coded route to handle a request, nothing is sent. So, no private code is every sent by default.
Now, there are ways to instruct your server to automatically send some static files, but that takes a special kind of route that is told exactly what route prefixes to look for and what directory on your server to look for files that might match URLs that are requested. This can be done for static files that you specific locate in a directory by themselves (like .css files, for example) that you intend to send to the client when requested. And, you have to use the right code to make that happen. By default that never happens.
Related
i am using node js with template enjine ejs, i cant figure why my server is running every request from the browser two times, vecause when i do the same request from postman its only loaded one time, if i see network i get this
ass u can see the page home is loaded two times, so the req is make 2 times, where the server process times the same request and every thing , but why
after if i look at the request headers made by the browser i see something strange, that the header change its content, in my first(normal)request i get this:
but in the second request(the one that should'nt be made:
you can see that the accept parameter is different it looks like if he is requesting for an image in the static files , but i dont know what can be, first i thought was theb server was requesting the favicon.ico file, but its not because i already added a handler for that,
here i gonna let the whole project github code if someone need it and can help:
main files are appjs and server js, and req are handled by the routers folder and routers handle to their controller, is an MVC architecture
https://github.com/jazdevv/social-media-tw
In ExpressJS, the main app.js file as far as I am aware is loaded first and imports all code it needs such as require('myclass.js') lines, including routes etc.
My question is, does every time a user request a page from Express (home page, login page etc), does Express then run all the code in app.js AGAIN? Requiring all files etc. Seems like a huge amount of overhead?
I've never found a clear answer to this question.
Thanks
My question is, does every time a user request a page from Express (home page, login page etc), does Express then run all the code in app.js AGAIN? Requiring all files etc. Seems like a huge amount of overhead?
No. The top level code in app.js is run once at server startup time. That code loads module dependencies, creates the Express app object and then registers route handlers on it and then starts the http server.
A route handler that matches an incoming http request will be called each time that matching incoming request arrives, but only that request handler and any appropriate middleware will be called. The Express app and all the route handlers are initialized only once.
Your code in node.js differs from some other environments in that your code and all its routes are initialized once at server startup time and that server object then stays running, ready to field every incoming request and divert it to the appropriate request handlers. Likewise any module state you set in node.js is available to all future requests too.
So, when a user hits the /login URL, only the express request handler for that page (and any configured middleware) is run. Other routes are just sitting there waiting for an incoming request that matches their route configuration.
I am calling a meteor method, which generates a file using fs. I wait for a callback giving me the path where the file exists, and then I request the file with a server route. The code is very similar to this SO answer. I have also tried using createReadStream (as demonstrated here) instead of passing the file directly to response.write.
This all works well on the client's first click of my export/download button. However, if for some reason they want to click the button more than once, the file will get generated but the file will not get served by Iron Router. There are no errors on the client or server. If the user refreshes the client, then the feature will work again (once).
Why do I need to refresh the browser in order to request the same server route a second time? Am I doing something wrong?
Example Application
Does the URL change when they click the first download? If so, and the second route is the same, you will not get redirected as you are already there. If this is the case, can you use the router hooks to send the user back to the route they came from?
Ok, I am new to web dev and here's a stupid question. I have been through a few tutorials for node, express and backbone individually, but I can't seem to wrap my head around how they are integrated. Particularly, consider this use case:
Person X opens the browser, types in a URL and hits enter->Express responds to the request and sends some data back to the browser.
My question is, where does backbone come into the picture here ? I know it's a mvc framework to organize your JS code. But, I can't find a place in this use-case where the server/browser interacts with backbone. Only thing I can think of is that the backbone saving the route and serving the page the next time. But what about the first time ? It would be best if someone could explain to me how the request gets routed from client browser to express/backbone to browser again.
Also, am I correct in assuming response.send() or response.json() will send the result to backbone when model.fetch() is called ? I mean, is there no additional code required ? Being new to web dev, I'm quite not used to the idea of the framework 'taking care' of everything once you send the response back.
EDIT : Here's what I have understood so far. Feel free to correct me if I am wrong. When I access websites like gmail, the server first sends a big html file including backbone.js code in it. The backbone.js code listens for events like clicking on links in the html file and handles them if the links are defined in it routes(routes are always relative to current route, accessing a completely different route sends request to the server). So, if I click compose, my url remains the same because backbone handles the request. However, if I click Maps/News services in the bar above, the server handles the request.
There is no special integration between backbone and node.js.
If you use the standard backbone sync method then all you need to do is:
Use the static middleware in express to serve up your static html/js/... files.
Define RESTfule routes in express that conform to what backbone is expecting.
Backbone does indeed make an http call when you do model.fetch. You could look in Chome network tab to see where it's sending the request to and then implement that route in express.
While trying to serve a page from node.js app I hit with this question. how multiple files are serving from a server with a simple request from user?
For eg:
A user enters www.google.co.in in address bar
browser make a request to that url and it should end there with a response. But whats happening is, few more requests are sending from that page to server like a chain.
What I am thinking now is, how my web browser(chrome) is sending those extra requests... Or who is prompting chrome to do it? and ofcourse, how can I do the same for my node.js app.
Once chrome gets the html back from the website, it will try to get all resources (images, javascript files, stylesheets) mentioned on the page, as well as favicon.ico That's what I think you are seeing
You can have as many requests as you want, from the client side (browser), using ajax. Here's a basic example using jQuery.get, an abstraction of an ajax call:
$.get(
"http://site.com",
function(data) { alert(data); }
);