I have a React front-end that calls REST APIs. The front-end and back-end are hosted on different servers. It's a simple application so I don't want to implement User accounts/API keys. How do I secure the backend so that it could be only used by my React front-end.
you cannot, the only way that I see could come close is by generating a token that's embedded in one of your static React files and validate that token upon request (for every instance downloaded by a user), but it would be impossible to prevent an attacker from fetching that file/token and call the backend APIs with it. The only way to protect a backend is via user login/2-legged OAuth.
Related
I've built my backend using MongoDB Atlas, Express, and Node JS and deployed it to Heroku. Using Postman, the app is operating properly so far (users are getting added and I'm receiving the json web token correctly).
But I'm thinking that this might not be correct because it seems like anyone with access to my Heroku URL and routes can easily create a new user, receive the json web token, and basically operate their entire app using my backend.
My questions are:
Am I missing something huge about how I've built my backend?
How do I go about securing my backend so that only my apps can access the backend?
You can use Passportjs to protect your routes, passport will be your middleman between person accessing the back-end and your actual back-end.
You can give access to the routes if a valid JWT is passed (JWT strategy) otherwise it will throw 401 (Unauthorized).
There are 400+ strategies available, I will recommend JWT one because you are already generating JWT.
Protecting backed is integral part because most of scripts can disable security on front-end leaving apps vulnerable to attacks.
I'm trying to do this.
I need to push data from NodeJS (backend) to Angular (frontend) without any explicit request from Angular to NodeJS.
I was thinking of making an API request to Angular from NodeJS and Angular would listen to the API request via a Service and fetch data accordingly.
I'm not sure whether this is the right approach or is it possible in the first place, could someone guide me in the right direction?
Edit:
I'm trying to implement this for multiple Social Media Integrations in a One Page MEAN App. On button clicks, users get redirected to respective Social media authentication pages, after successful authorization, I'm able to fetch the accessTokens in the backend. I'm confused about how to send the data to frontend without passing the accessTokens in URL parameters.
Is there any other approach to implement it in a MEAN app?
I think you can use socket module for pushing data from Nodejs to angular.
The socket module provides emit and on methods with the help of this you can broadcast data or send in the request also generate your own event please check this for more information
you should use tokens as like JWT (passport JWT strategy) and pass it to the client and store it in a cookie / local storage. you can use these tokens to protect api's and/or socket.io connects. after that you do whatever communication you want. the client needs to open the connection to the server (via pull or websockets) or you need to use some form of push service. The reason is, that for many clients they are behind address translation and cannot be reached directly.
I'm working on an application using sails. web and mobile.
I want to use CSRF protection that sails provides when the app is visiting on the web. And if a request is send by the mobile app. send with the payload a jwt.
On the sails' documentation I found a property csrf.routesDisabled that disabled the CSRF for some routes. But that is not what I want. I'm trying to find a way to for example, check if the parameter jwt is send in the post request. And if the parameter was send then check and validate it. else, check for _csrf value of the form. Is this possible?
or the csrf protecction works before any information is send to the server?
my better choose is use jwt in the web app too?
any other good idea for solving this problem is welcome
thanks
Sounds like you've built the web app with SailsJS and you're trying to reuse the controller actions as REST endpoints for external applications.
Really what you should do, is decouple the data access from the front-end. Have an isolated REST API - using token authentication - which is used by both a web front-end (and any other applications).
For example, I'm currently working with a SailsJS REST API, used by an EmberJS front-end and an iOS app. Both front ends login using user credentials, in order to receive an authentication token. This token is then used for any future requests. A policy locks down all but the login authentication endpoint, to validate the token
How do you authentication multiple websites through a single NodeJS API using passport's google authentication strategy?
The API is hosted separately to the webpages. From playing with the guides on the passport website and tutorials I can find, they all rely on the Node application doing the page rendering (i.e. using Jade etc) and not passing a token back to a separate web application
What is the best approach for creating a single API that can authenticate against Google and return a token to the client without having the API and the website(s) hosted on the same box and all served by NodeJS?
I can get the strategy to work when accessing the API endpoints directly, but I cannot figure out how an application would interact with those, and get a token back when they are on different domains.
I have created a simple REST api for my application using node/ express. I am using AngularJS on the front end to serve pages to the user.
I would like to add functionality such that the API can only be accessed via my front-end and anyone should not be able to do a GET/POST request to my site and get the data?
What strategies can I use to achieve this?
HTTP request can be formatted and sent to sever by many other means beside a browser (curl for example), so any server always detecting correct source of a request is not guaranteed.
The basic method to protect an endpoint would be to use some kind of authentication. The requesting client must present something uniquely identifying it. API should provide clients a token after it proves itself authentic (via login etc), and all subsequent requests would be checked for this token.