I have a HTML5 static site and use Parse as the back end through REST API.
So my application id and REST API key are completely open to the public.
My classes have ACL so it should be relatively OK. But I also upload files to https://api.parse.com/1/files/ using JavaScript through REST-API .
How can I allow that only logged in users can upload files? Unlike normal classes on which I can set class wide ACL, anyone can upload files to my parsing application.
First off I would ask why you are using the REST API instead of the native JavaScript API... the JavaScript API uses the REST API under the covers, it just adds a nicer layer of interaction to work with.
Anyway, that aside you can't stop people from uploading files unfortunately. You can stop them from assigning those files to records via ACLs though, and you can do a cleanup on files that are not linked to objects.
Related
I'm currently accessing a 3rd party restAPI using ServiceStacks IRestGateway with my own backing class. It's basically the same as the ServiceStack.Stripe gateway.
My issue is that I'm not sure how to handle File uploads. I know using one of the service clients you can easily do file uploads. Is there a way to re-use this existing implementation without switching to a service client?
The IRestGateway does not include any APIs for HTTP File Uploads. If you need to a send a file with those restricted APIs you'd need a DTO to include a byte[] property to capture the File contents as well as basic metadata like the file name, file/content type, etc.
An alternative to uploading files with ServiceStack's C#/.NET Service Clients is to use the HTTP Util extension methods which provides simple APIs to upload files via FileInfo for Stream.
To render on threejs, we need some images(jpg/png) and , jsons(uv data). All these files are stored in respective folders and the files visible for clients to look at.
I use django/python to start a local server, python code is compiled to .pyc & js code is obfuscated. But the folder structure is accessible for Casual Users. In threejs, we use tex_loader and json_loader functions to which the file paths are given as inputs. Was looking at ways of securing the behind the scenes work.
Happened to read about custom binary formats, but that felt like a lot of work.
or giving access to files only for certain process starting through django/web browser?
Are there any available easy to deploy solutions to protect our IP ?
An option would be to only serve the files to authenticated users. This could be achieved by having an endpoint on your backend like:
api/assets/data.json
and the controller in the backend would receive the file name(data.json), the code could check if the user requesting the endpoint is authenticated and if so read the file from the file system(my-private-folder/assets/data.json) and return it as file with correct mime-type to the browser.
I want to host a dynamic website using AWS serverless. I plan to use Lambda, API Gateway, DynamoDB and S3. My frontend pages will reside in S3. The blocker is that there would be some dynamic items such as Usernames and other metadata which will be user-specific. I know so far that the best we can do is pull the html page from S3. How do I then go ahead and include these variables in those pages?
I would be writing lambda in NodeJS.
Your HTML (static page) should have all the input fields (in your case user name and meta data). You can use any clide side javascript library to take values from those input fields. Even you can use classic JavaScript (like document.getElementById ) to take values from input fields but that will be the pretty old way of doing even if it works.Once you take the needed values then you can compose Json out of that to call lambda function via API gateway. Though S3 supports only static web site hosting you can write JavaScript code inside your HTML, which will not consider as dynamic (like C#, Java etc. ).
Big story short you can acheive anything through JavaScript in the static page you hosted in S3 and compose proper Json in the way your Api gateway / Lambda expecting.
What you mentioned as blocker for dynamic items such as usernames and other metadata. You can use AngularJS or other Framework to handle dynamic variable in application.
You can also use AWS Cognito for authentication.
For a serverless website like you describe you need to make the distinction between the static, and the dynamic content.
The static content, like HTML pages, Javascript files, CSS can be hosted in an S3 bucket.
For dynamic items you can use Javascript or any JS framework, and use it to interact with a couple of lambda's that return dynamic data.
These lambdas can be attached to an API gateway.
If you want to store- and retrieve data to a database you can use DynamoDB, or an RDS instance, that way you don't need to manage any servers
If it is just about authentication you can use AWS Cognito.
AWS S3 is fine for the front with angular for exemple.
For api I use nodejs in docker container in Aws ECS.
I developed a small node.js app in which I can configure conditions for a custom javascript file, which can be embedded in a webpage, and which modifies the DOM of that page in the browser on load. The configuration values are stored in MongoDB. (For sake of argument: add class "A" to DOM element with ID "B" )
I have difficulties to figure out the best way to serve requests / the JavaScript file.
Option 1 and my current implementation is:
I save a configuration in the node app and a distinct JavaScript
file is created for that configuration.
The page references that file which is hosted and served by the server.
Option 2 and where I think I want and should go is:
I saves a configuration (mongodb) NO JavaScript file is created Pages
a generic JavaScript link (for instance: api.service.com/javascript.js)
Node.js / Express app processes the request, and
returns a custom JavaScript (file?) with the correct values as saved in mongodb for that configuration
Now, while I believe this is the right way to go about it, I am unsure HOW to go about it. Any ideas and advise are very welcome!
Ps: For instance I wonder how best to authenticate or identify the origin, user and requested configuration. Shall I do this like: api.service.com/javascript.js&id="userID" - is that good practice?
Why not serve up a generic Javascript file which can take a customized json object (directly from mongodb) and apply the necessary actions? You can include the json data on the page if you really need to have everything embedded, but breaking up configuration and code is the most maintainable approach.
Is it possible to use google apps script in my HTML? I want to be able to write to a spreadsheet from a form in purely Javascript from an external framework such as Node.js.
https://developers.google.com/apps-script/
Google Apps Script's syntax is Javascript, however it is a unique server-side framework that does not behave as a library to applications outside of the Apps Script servers. (No, you won't be able to use Google Apps Script in your node.js app.)
However, that doesn't mean that your node.js app (or any other app on the web) can't interact with your spreadsheet. For instance, your app could authenticate as you using the OAuth API, then access the spreadsheet through the Google Drive API. For an example of this, see Accessing Google Spreadsheets from Node.js
Alternatively, you could roll your own spreadsheet API in Google Apps Script, to support read / write of your sheet via HTTP requests from your node.js app. There are plenty of examples of that, for example Insert new rows into Google Spreadsheet via cURL/PHP - HOW?.
Sure you can. You can use HtmlService to create your web form, then send the submission data to your Spreadsheet with server functions.
Nowadays you could use the Google Apps Script API to call your Google Apps Script code from other platforms like Node.js, actually the official docs include a quickstart for Node.js.
You can you use HtmlService, but maybe can be helpfull to read the Google Hosted Libraries https://developers.google.com/speed/libraries/
To use a Javascrtip library inside GAS, I recommend JQuery.
But Maybe, you can use Node.js inside your external website and make a AJAX Request (get or post) to a GAS and return from GAS this:
ContentService.createTextOutput(e.parameter.callback + "("+Utilities.jsonStringify(JSONDATA)+")").setMimeType(ContentService.MimeType.JSON);
After that, process it inside your AJAX request...
Mogsad is right that you might be better of with Google Drive API to interact with your Spreadsheet!
...But depending on your exact need you might have some possible interaction between external service and google apps scrip using Content service Google Dev link.
Content Service can send back several information upon GET request (ATOM, CSV, ICAL, JAVASCRIPT, JSON, RSS, TEXT, VCARD, XML). By playing around with url parameters you can get information out and in a spreadsheet, send an email, trigger some action etc!.
But that is far from a real external library and direct interaction with server side functions!