node.js - how do i avoid server.js file being downloaded - node.js

I am working on MVC4 application. This is how my directory structure looks like:
App_Data
App_Start
Content
Controllers
Images
Models
node_modules
Scripts
Views
server.js //This is where my server script resides
Node.exe
This is how it all fits together:
Server.js is running on a server. User goes to a index.cshtml page and a connection to the server is created. If there are multiple users on the same page, they all can share data/thoughts etc. using "kind of" chat. each user's action is relayed to other connected users.
What i am wondering is how do i avoid someone directly pointing to my server.js file from the browser and view the content of it.

You appear to be running two separate web servers.
The first serves your MVC4 ASP files while the second serves your node.js application.
Placing the node.js files under the webroot of your ASP application makes them visible to browsers that visit your ASP application.
node.js is a web server in it's own right and does not require any other web server to operate.
I would move your node.js application outside of your ASP webroot. This will make its files inaccessible to browsers.

Related

Are the security implications of installing NodeJS in the public HTML folder?

I'm running NodeJS for my server-side javascripting, but serving my pages with Apache.
My pages currently reference Socket.IO locally, in that they load the node_modules/socket.io-client/dist/socket.io.js from the /var/www/html
The NodeJS index.js file also resides in /var/www/html which has become a problem for me.
Can I move my NodeJS index.js file to var/www so it is no longer publicly accessible, without needing to move node_modules from var/www/html which Socket.IO is relying on to be publicly accessible?
When using Node.js to serve the Webpage:
Your servers root directory is typically not publicly visible. Requests to your server get handled by the routes you set up in the index.js file. By default, no files are accessible. However, if you need a public folder (e.g. for the favicon file or an index.html file), I would recommend creating a subfolder in your root directory and use for example express to make it available.
When not using Node.js to serve the Webpage:
If you need Node.js for client-side logic, you should just use normal javascript (for example this in the case of WebSockets). Node.js is a serverside application where you run javascript on the server. So on the client-side, there is no need for Node.js. If you need certain npm packages, SubStack on GitHub has a module called node-browserify. It will compress and bundle your modules and deliver it as a single js file, but you use it just like Node.js.
If you need Node.js for server-side logic, then there is no need to make it publicly available and you should change your current server configuration to not make it accessible from the browser.

How do I use AWS S3 to host a static express/nodeJS page?

I am new to nodejs/express/coding in general so my apologies if this isn't extremely clear. I am doing a code challenge for a job.
I have most of the project done. Part of the challenge is to have it uploaded to a bucket on S3. I created a bucket, that is all done. My problem is there needs to be a index.html in the root folder of the bucket (I think). All of my html pages (three of them) sit inside of the views directory. When I try to put my index.html in the root folder on cloud9, it says index.html can't be found in the views directory (obviously, since I moved it out). Can I set the views directory to be in the root folder?
Is there a way with express/nodeJS to have all of the files in the root folder? Or is there a way to keep my views folder as it is in Cloud9 and have everything run like it does from there, except in S3? I must be missing something. I am completely lost as to how to host this app on S3. Posting on here was my last resort! Thanks for any help.
Let's make order. Amazon S3 is a cloud file storage service. It can also be used to host static assets of a website.
From what I understand, you are building something with express, using the view directory, used in general for templates and so, I suppose, you are rendering your html pages by your express application. This is called server side rendering and is fully incompatible with amazon s3 that can only serve files.
Now, how can you resolve the problem (considering that you are obliged to use s3)? It depends.
If you are using express only to render your application and to serve static assets (so no API), you should consider some refactoring: in such case, you are basically building a web application without APIs. You don't need express. Maybe you are searching for a client side framework like Vue.js, React or Angular. To be more general, you should render your application client side.
If your express server is also acting as api server, you should divide your project. From one side you have your express api server, deployed somewhere. From the other side, you have your web app, client side rendered.
There is another solution: you could use a prerender like this to generate static assets from your express application. But if you are new to web developement, I advise you not to evaluate this option
When you move your static files to S3, you will need to setup the relative paths accordingly.
Can I set the views directory to be in the root folder?
No. Instead organize your files in S3 where index.html is the root and files with paths such as js/ css/ images/ taken from the root folder.
Note: Its important to understand that you cannot run NodeJS in S3 and instead you will be using the internal web hosting from S3 to serve the static content.

Changing localhost server files are served from using Node (Webstorm /maybe IntelliJ)

I'm not sure what I'm missing here, so hopefully someone can help me out. I'm working on a project where we're using Node and in the Run/Edit configurations I've down the following:
Node interpreter: This is the path to the node.exe file
which I checked out from Subversion
Working directory: this is where the "app.js" file is, this is the
path that from the command line you type node app.js and it starts the server
JavaScript file: app.js This is the name of the file that actually creates the server
Now from the main nav bar when I do Run / Run my server the box at the bottom pops up and tells me that Express server is listening on port 3000. Cool.
I can navigate to localhost:3000/myPage.html and I can get to the page just fine.
I added as JSON file to the same directory on my hard drive that myPage.html is in, and I can navigate to that as well by localhost:3000/largeTestData.json.
So the server is up and running and serving file as it should. My problem is that in my Webstorm project, I want to make an AJAX request to that largeTestData file. I do so using jQuery like:
var data = $.get('localhost:3000/largeTestData.json');
data.done(function(data){
console.log('here is your data');
cnosole.log(data);
})
When I do that I get the error (in Chrome)
XMLHttpRequest cannot load localhost:3000/largeTestData.json. Cross origin requests are only supported for HTTP.
and so I look at the URL and I'm seeing:
http://localhost:63342/
Obviously Webstorm has started the server correctly, but when I view an HTML file, it's not using that server (which, of course is why I'm getting the CORS error.
There's some fundamental stuff here which I'm obviously not getting. I need my IDE to deploy to the Web server that it started up, but it's not doing that. Please, someone give me a once over on all the technologies that I'm missing out on here.
WebStrom didn't start your node.js server, but serves static pages by its own internal HTTP server which doesn't know anything about node.js and Express.
The main problem:
When you start your node.js server, it's serving JSON files on port 3000. If you open an HTML-page with the little menu in WebStorm (where you can choose the browser), WebStorm opens the browser with an URL pointing to its own internal webserver running on a different port (e.g. 63342). JavaScript security prohibits loading data from a different host/port Same-origin policy.
It's not WebStorm's fault and you need a solution for this problem in production or you can't go live.
General Solution:
Either you have to ensure that HTML pages and JSON data come from the same host+port, or you can circumnavigate with (a) setting server-side headers ('Access-Control-Allow-Origin: *') as #lena suggested, or (b) using JSONP. Below you find some thoughts using nginx as a reverse proxy so from browser's point of view all requests go to the same host+proxy. It's a very common solution, but as mentioned above, there are other options.
Primitive solution:
Don't use WebStorm to open your browser. Load the page from http://localhost:3000/ and change the URL of the REST resource to $.get('/largeTestData.json'). You'll miss some comfort from your IDE, but you can immediately see that your program is working.
Comfortable solution:
As #lena suggested, there is a way to configure your Express/node.js as a server known to WebStorm. I haven't tried it, but I suppose you can then just press the Run-button and maybe the node.js plugin in WebStorm is as intelligent to know the static-maps in Express and know how to map an HTML-file to a web application URL and open the page in the browser with the URL served by your node.js application. (I'd be surprised once again if this really works magically, but maybe you can configure a mapping from files to URLs manually, I don't know.)
Dirty solution
With some options you can disable security checks, at least in Google Chrome. Then it's possible to load JSON data from a different port than your HTML page. I wouldn't recommend using these options (just my opinion).
Additional Hints
If you do more than just playing around with node.js and some UI fun and you have to serve your application "production-ready", then have a look at nginx to serve your static files and reverse proxy node.js requests from there. I'm using this setup even for development and it works like a charm.
Of course node.js / Express is able to serve static files as well, but IMO placing something like nginx in front of node.js (clustered) bring a bunch of advantages for production sites, e.g. load-balancing, ssl-offloading, avoid JSONP, in many cases performance, easier deployment updates, availability.
To get your code working, just change the URL in $.get() to full URL (including protocol):
var data = $.get('http://localhost:3000/phones.json');
In Webstorm 2016.3 (and probably earlier) there is now another option. Under the Configuration Settings for NodeJS runs, one can manually set the page and port to be loaded via Webstorm's "Browser/Live Edit" settings.
See the screenshot below for settings one can change.

angularJS problems on tomcat - application restarts on page/controller-change

For my local angularJS development, I'm using nodeJS. If I deploy my angularJS project on a tomcat server, it basically works BUT, I'm using different pages and different controllers and every time I click on the other page, it seems that the whole application is restarted again, because the data in the rootscope is lost and it starts program parts which should be started on application startup only.
Can anybody tell me whats going wrong here?
Why is my application not 100 % correct running on tomcat?
I'm using tomcat 7.0.34
I'm not familiar with Tomcat, but we've had the same issue with Apache. As Angular needs to do the routing of your app itself, you have to tell your web server to always deliver your root HTML page, e.g. index.html.
After doing that, your app should work fine.
I assume when you say different page you literally mean a different html page (url).That is the expected behaviour. AngularJS is a Single Page Application (SPA) framework. Like any other SPA it gets reinitialized when you do a full page load\reload or you navigate to another page.
This is due to stateless nature of HTTP. Every page is an independent request, which starts the client side page life cycle.
For using AngularJS correctly as SPA, you need to have a main page. The content of this pages gets alter\appended by child views\partials (again pages). AngularJS also hijacks the browser url chnanges so that this does not cause full page reloads on url change.
Look at some sample applications created using AngularJS to understand how it works.

[NodeJS]Is my backend code secured?

I'd like to create a simple site on NodeJS. For example, it has two files (app.js - main application file) and router,js (a url file). I'd like to know - if it possibke for anyone just to access mydomain.com/router.js to get the source code of my application? I'm asking 'cause for example in PHP you cant just access to php, as you know server just gives you the result of working of this PHP-file, but not the file itself. So, how to make my nodejs-app invisible for public access? Thanks!
I make sure that all files for Node.js are never in a path that is served by another web server such as Apache. That way, there is little danger of the source ever being served by accident.
My node program's and files go in /var/nodejs with a sub-folder for each application in Node. By default of course, Node will not serve ANYTHING unless you tell it to.
At the root of my Apache configuration, I make sure that ALL folders are secured so that I explicitly have to enable serving on any folder structure even under the /var/www folders that I use for all Apache sites.
So you are pretty safe with a default setup of Node and Apache as long as you keep the folders separate. Also Node will not serve source code accidentally, you would have to set up a Node server that read the file as text and wrote it to the http stream.
That depends on how you are using Node.js and what you are using for a web server in front of it. Unlike PHP running as CGI or as a module in Apache, node and the node application itself is a server.
If you have a webserver with your node source directory exposed then the url you provided in the question will most likely result in your source code being served. Even if you were using Apache and proxying to node, there is usually no output filter involved. Instead requests are passed to the backend node server which interprets them.

Resources