my scenario is that I have an esp8266 which is sending some sensor data to a node server. Basically I just have a post request API which is configured on the server.
The ESP 8266 connects to wifi and starts sending data to the server, my question is:
Should each of my ESP 8266 be configured as users on the server and login for posting their data?
Is there another way I should be doing this like using a token based authentication which will allow the device to post their data while at the same time keeping my API secure? If so what should be my approach?
Thanks in advance
Related
I'm new to whole authentication/authorization part in web development. Specifically JWT. So I came across a medium post explaining the fundamentals of JWT. There was a diagram which showed how the web server and authentication server had no direct communication, AFTER a JWT token had been issued by the authentication server.
So, my 3 questions are:
What's the difference between the authentication server and the web server?
Is the authentication server, the database server?
And, since you are going to take user data(e.g password/username) from the
client(browser/user), to which server do you write the code to? authentication or web?
Because NodeJS/Express allows you to write the app server code right?
1 - An auth server is usually part of a microservice architecture, if you do not have to scale you can have a simple authentification middleware in your web server.
2 - The auth server is a server usually part of a microservice architecture which role is to authentificate requests and act as a gateway to the rest of the microservices.
3 - Depends if you want to scale or not. If you want to separate auth and the rest of the apis, there are multiple ways to scale.
Hope it helps =)
What's the difference between the authentication server and the web server?
These are two separate servers. Two different programs, potentially running on two (or more) different machines. With different purposes and responsibilities.
Is the authentication server, the database server?
No. For all you know the auth server may not use db at all. For example it can store all the data directly in files, or even in memory. Although, in practice there will be some db behind it. Auth server is just a server with a special purpose: user authentication (as the name suggests).
And, since you are going to take user data(e.g password/username) from the client(browser/user), to which server do you write the code to? authentication or web? Because NodeJS/Express allows you to write the app server code right?
Write code? Both? Depends on whether you implement the auth server by yourself or not. I'm not sure I get that question.
The point is that user credentials should be send to the auth server and the auth server is responsible for validation, secure storage and token issuing. So that other servers (in particular the one you call "web") don't have to worry about it.
I want to send a link to the email address for account verification and to reset the password. Later I had a frontend+backend structure, I want to know how can I do this in REST api way. If I host 2 frontend app in https://example1.com and https://example2.com how can I write a flexible backend in nodejs
Part 1: Sending Emails
To send emails, you need to have an SMTP server. For SMTP server, you can either configure one by your own or subscribe for email services like sendgrid.
Sendgrid provides APIs, which allows you to send transactional or promotional emails.
Part 2: Middleware
You may have to rent a linux server, install Node JS on it and use Express JS for developing and deploying the backend with REST API support. Your frontend apps https://example1.com and https://example2.com can be hosted using Apache and they can communicate to the middleware which is developed using Express JS.
Part 2: Database Connectivity from Middleware
You can install MariaDB in server and connect your node js program to MariaDB using the node module mysql.
This is just a high level advice. You will have to spend some time yourself to get everything configured and wired, or take the help of experienced engineers.
Where is it best to query database results in the MEAN stack? I've read examples from both Angular and Node/Mongoose but which is best/correct? Should you only send what is needed from the server? Or should you send as much as possible for convenience client end?
Your Backend(Node) and Frontend(Angular 2) will communicate via rest api and your database and its business logic will reside on server side. You will use mongoose here.
You will write endpoints(http web services), each endpoint will serve a specific purpose like /login will authenticate user and /user would return authenticated user details.
Your frontend would consume these web services and render the result in your ui.
You should send only what is necessary from the server at a time.No extra data should be sent.
I am developing a backend for a mobile application using Node.js to handle HTTPS requests. I have set up an SSL to connect from the client to the server and was wondering if this was secure enough.
I don't have experience with intercepting endpoints from the mobile devices, but I have seen that it is possible for people to monitor internet traffic out of their cellphones and pick up endpoints to server requests. I have seen hacks on tinder where people can see response JSON and even automate swipes by sending http requests to tinder's endpoints.
My real concern is that people will be able to update/read/modify data on my backend. I can implement OAuth2 into my schema as well but I still see cases in which people could abuse the system.
My main question is whether or not using HTTPS is secure enough to protect my data, or if a session authentication system is needed like OAuth2.
Thanks.
HTTPS, providing it is properly configured, will ensure the message was not read or changed en route and that the client can know the server it is talking to is not a fake.
It will secure the transport. It will not secure the application.
For example supposing you have an app that allows you to send a message saying https://www.example.com/transfermoney?from=Kyle&to=BazzaDP&amount=9999.99 and the server does just that based on those parameters. Then I could send that message myself - I've no need to intercept any app messages.
Normally the server needs authentication as well as HTTPS to, for example, verify only Kyle user can send above message and not anyone else. HTTPS normally only gives server authentication not client authentication (unless using two way certificate HTTPS).
So the question is, even if an attacker cannot read or alter any messages between app and server can they still cause harm? That is the measure of whether it is secure enough.
A SSL connection is only secure with the content you are sending.
SSL encrypts and ensures the authenticity of the whole connection, including the requested method and URL
So i would say just using the SSL encryption is save to transfer data between - i might consider OAuth2 for password etc.
But i would recommend to use GET for retrieval data and post for authorized data
You're building an armored tunnel between two open fields.
Assuming that you use current SSL protocols and settings, and valid certificates from trusted issuers, you can pretty much assume the network is OK.
However it's still entirely possible to compromise any or all of your transaction from the client. Security really depends on the device and how well it's configured and patched.
I'm planning on making an android application that sends user data to a web server and stores it temporarily in a database. Now I've never worked with databases or web servers before, but after reading a bunch of tutorials and a few days of hacking away I managed to get a node.js server with mongodb up and running on the openshift platform.
Right now anyone can interact with the database just by sending a GET request or even just pulling up the url in a browser. Is there a way to prevent that by happening or would I have to maybe encrypt the data myself before storing it?
You describe a typical web application using REST APIs. To secure it, do two things:
Deploy your REST APIs (or the entire site) using HTTPS instead of HTTP. This provides end to end encryption so your sensitive data cannot be viewed while in transit
Add an authentication and authorization mechanism, so that only authenticated endpoints can access your REST APIs.