My ArangoDB server contains a database (mydb) with a collection (thiscol) and in the collection sits a bit of data. I can login with a user Thijs and look around using the web interface.
I cannot have user Thijs use the REST API, I have tried setting the password, granting access, restarting and making a new user.
The REST interface always returns 401 Unauthorized. I have obviously quadrupple checked the password.
If I use the user root it all works fine.
And I rather not start with Foxx services at this point because it seems to be an enormous amount of work to implement a REST service that allready exists but is not 'available'.
So is the REST API only implemented for a single hard-coded username or am I missing something here..
REST call example: http://localhost:8529/_api/collection
per request
failing GET
Ah, you need to specify the database to use in the URL, without specifying a database it will default to _system. Try localhost:8529/_db/vbo/_api/collection see this documentation page for more info.
Glad to help get it resolved.
Related
I followed this tutorial :
http://blog.cendekiapp.com/2015/04/02/add-authentication-in-sailsjs-api/
and when I want to run the app, it works fine when I run :
sails lift
But, if I try and hit endpoints via a rest client... it will return me data, without any kind of login being necessary...
I notice the comments, and people are having the same issue - my code is IDENTICAL to the one in the example, and is even built on top of the tutorial from part one (before the auth tutorial)
if I hit http://localhost:1337/user - it will return me all users, I am sure it needs to be checking for a token, which I would get via checking if I have one to submit, or go get one from the login controller, but I am not sure what I need to do. Anyone have any ideas? Or know straight up what is missing?
I am totally new to Action HeroJS and I was wondering how can I restricted users to access my action herojs rest API, url from the browser?
I have even put the route as POST, but it is still accessible by get method?
Just like in java when we specify a rest api as post, it will not be accessible by get or browser url?
How can I accomplish this?
Edit:
Contacted the Action Hero, on github, they were pretty helpful, the solution was:
in web.js, put simpleRouting : false, and it should resolve the Issue.
Before you could access a post routed action, from the URL but after doing this you cannot!!
accessing a POST using get will return you a 404.
Thanks #Evan
Regardless of your language/framework, all routes are able to be hit by anyone, unless you block them at load-balancer or similar level.
Rather than thinking about the problem as "how to block" access, you should be thinking about the problem like "how can I ensure that this user is authenticated to use this route". Using things like cookies or tokens is the way to go.
You can use actionhero's middleware to apply access rules to specific actions, and return errors to the use if they aren't allowed.
Here's an example project that does these types of things:
Actions for dealing with the session: https://github.com/evantahler/actionhero-angular-bootstrap-cors-csrf/blob/master/actions/session.js
Middleware which uses that session data for access: https://github.com/evantahler/actionhero-angular-bootstrap-cors-csrf/blob/master/initializers/session.js
and finally another action (route/url) which requires the logged-in-session middleware: https://github.com/evantahler/actionhero-angular-bootstrap-cors-csrf/blob/master/actions/showDocumentation.js
I'm making a REST backend for private use of our frontend, they will both be in the same server.
The problem is that I'm worried about security issues, I don't want a attacker to use the API directly, either by JS or by using other REST client.
Lets take this service as an example
http://myserver:8080/something/webresources/film
That's a service that allows to GET, PUT, POST, DELETE I want that only the frontend be able to use it, otherwise since anyone can see client-code it would be easy to get the endpoint and start putting or getting data. I do have BASIC AUTH so they would have to register and if they did something wrong I would be able to see who did it, but that doesn't solve the problem.
I could implement access control so that a user only could get/update/delete their own movies, but I would have to do that for every REST service(I have over 100 by now), plus I might need to actually get others movies
This is my first public project, I am really lost.
You can do it through your web server. I'm using Nginx. I have an if statement that checks the $http_referer. If it returns nothing, or the value returned is not my application/frontend page (meaning someone is trying to hit the api directly), it'll return a 403 forbidden page.
If your application doesn't send out emails to your users don't worry about the following: I added a block to allow access to my static images as the only exception, as my application sends out emails with images and I don't want them to break.
That's it. Problem solved. No one has access to my api except my frontend page/application, unless they can forge the $http_referer to match my domain which if they can do that then they deserve to break in.
Your only option to call the REST API from server side. You cannot hide from the users what's going on in their browser... You can have a layered application, so the frontend layer can call the backend layer on the server while the client can see only the frontend. (Check the layered system constraint.)
I am developing a website in node.js and I am using Parse.com to handle the user registration and the Facebook users.
To handle the Facebook login with Parse, I have to use the line of code:
Parse.initialize(APP_ID, KEY);
which can be accessed by anybody by just looking at the source code of the website.
So my question is: if somebody has access to this information, can he access the data that I stored in Parse? he would just have to create some simple query, no?
I already initialize on the server side so is there a way to tell the template(jade in my case) that Parse has been initialized by passing some kind of parameters?
Thanks
If you set up ACLs and class permissions correctly in your app, then there should be no concern with handing out your JavaScript key. See this page for more information: https://www.parse.com/questions/javascript-sdk-security
I am writing service using NodeJS + Restify. I have split each actual service into separate file (what, I assume, everyone is doing). They all are going to be using mysql database so I thought I could open a single connection to database which could be used by each service rather than opening connections every time a request is done.
The problem is that I don't seem to find a way to pass user data. By user data I mean any custom data that would be accessible by every service callbacked by the server.
I primarily use NodeJS + Express, but having looked through some of the documentation of Restify, I believe you could use the authorization parser (under Bundled Plugins on their site: click here to go there)
I think that would be the most basic way to pass user data.
I haven't tested it but, I believe you'd just add this to use it:
server.use(restify.authorizationParser());
You could then access the user data with:
//This is based on the structure of req.authorization in the documentation.
req.authorization.basic.user
I believe you could set new user data (when the user logs in or something) like:
req.authorization.id = 'id'