Authorization approaches and design patterns for Node.js applications [closed] - security

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
I am building a multiple page admin interface for an internal enterprise software platform. Think lots of glue logic tying together various APIs, db queries, and shell scripts.
We will be using node.js, the express framework (including jade templates), and LDAP for authentication.
I am struggling to find information regarding design patterns and best practices for authorization in node applications. Preferably, I would like to use the role-based model since my users are familiar with that approach and its care and feeding.
I am new to node.js so please don't assume I've already seen a module or popular blog post. It's probable that there's a wealth of information and I simply do not know where to look.
Thanks in advance for any information you are able to provide!

As per your first question, you want some authorization process implementation in NodeJs. I have explored and used number of APIs of NodeJs. I would prefer following APIs for enterprise applications.
For Authentication: Passport or Satellizer if developing SPA (front-end) in AngularJS.
For Authorization: ACL . Role based security on Methods and REST APIs. I would like to mention casbin if you want to use RABC, ABAC as well.
Second, you want some implementation and development approach in NodeJs.
Easy and my favourite design pattern and Framework for NodeJs: MVC framework , SailsJs . For its ready to start and modular architecture. Code management is easy in long run (Most practical requirement for an enterprise application). Easy maintenance. SailsJs is also preconfigured with Socket.io, using which you can create real time modules, widgets, chat widgets with in your project.
Express You can use Express and design your own custom MVC project structure. This is also popular and robust. You can find popular seed projects of the same on Yeoman
Redis As a caching or session layer. It is always good to use seperate caching or session layer, because it won't block you to scale your application on cloud to nth instances.
You can use Redis and Socket.io to create real-time features like Geo-location , user-presence(online/offline), chat, push-notification and many more.
ORM: Waterline . For its easy querying approach. It is also the inbuilt and default ORM of SailsJs. You can also use Sequelizejs, if not using SailsJs. I would recommend to use native connectors provided by DB providers.
Database: As per your requirement. Waterline ORM supports PostgreSQL, MySQL, MongoDB and more..
My faviourite view engine: EJS. No need to learn new things for developing your presentation layer. It is also the inbuilt and default view engine of SailsJs, that's why I am a fan of SailsJs.
I think, I have covered all important information to create an Enterprise application in NodeJs. I don't say, above packages are best, but collaboratively, they can be best fitted to any enterprise scenario. There are other known packages, which you can use according to your own requirement.

Here are some information to get started:
passport is a popular module for authentication
express auth example shows how do implement simple authentication without extra modules
express route middleware example explains how to implement role based authentication
blog post on nodejs.org about the ldapjs module
Hope that makes it easier to start.

Another option is to use CASL which is very good integrated with MongoDB. Also there is an article of how to itegrate authorization based on CASL into expressjs app - https://medium.com/#sergiy.stotskiy/authorization-with-casl-in-express-app-d94eb2e2b73b

I should say Node-Authorization is also a good candidate. The idea is borrowed from SAP(ERP provider), it is an object oriented authorization. And it can also be used as an accompaniment with other frameworks like: Passport and Express.

Related

Django vs Node(Express) vs Flask for RESTful API with high security and real-time

I have a few questions regarding some popular web frameworks. I can find pros and cons about all the frameworks, but which fits best regarding theese criteria:
The website needs to be as secure as possible. It will need a lot of real-time feautures, an own mobile app (native or hybrid, with notifications) and the application will also run a lot of background processes.
Django has some nice security features included, but suits bad for mobile development. The solution is then probably making a completely RESTful API tougheter with Angular and Ionic, but doesn't you loose most of Django's built in security solutions? Will it then be just as safe using a Node framework like Express, and manually escape user input, and manually prevent database injection? Will a good user authentication system then be equal as much work?
In addition, will it be painful to mix synchronous and asynchronous programing using Django channels to implement websockets and real-time features. I don't have any experience using Django channels, but I really likes the simplicity of Socket IO together with Express. Even if it can be challenging to program asynchronous in a Node environment, will it be just as hard using Django channels at the end? And since Django is a full framework, will you after a while have to rewrite a lot of the inbuilt classes and functions? Is it still easier than using Flask with Flask SocketIo? Will it be a good idea to use Python for background jobs beside the Node environment?
I know there already exists enough framework vs framework questions, but i would appreciate any advice and experiences.
Just go ahead and use the socketio in node or flask it is much more adviceable than using the socketio libary in Django.

ExpressJS vs MeteorJS [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
I'm caught in a fix. I've learned ExpressJS to develop a web app and I'm a quarter of my way done. Then comes along Meteor which was very recently released. It has gotten a lot of press, funding and it has the benefit of being able to port to Cordova. Now I'm not sure whether to stick to ExpressJS or transition to Meteor.
Key Points: Scalability, Ease of use, Development efficiency
Express = MVC Framework built in Javascript and is powered by Node.
Meteor = Full Stack that has the front-end and back-end components to build a real-time application.
To create the same implementation of Meteor using Express, you need to look at the MEAN stack, which includes MongoDB, Express, AngularJS, and Node. You can create the same thing in Meteor that you can with the MEAN stack, you are just going to be doing a lot more learning especially with AngularJS. Express and Angular are taken care of in Meteor using Meteor's template system and Blaze.
I would stick with Meteor. It still has a few drawbacks, but there are workarounds. It's amazing what you can throw together in little time.
You're comparing oranges with potatoes. Expressjs is backend and Meteor is fullstack, such a comparison is unfair at all!
I've been working with Meteor since 0.8 and I suffered in the skin the pain of upgrading, removing old vital third party packages, etc. you get the idea. Although Meteor reached 1.0, I don't think that the mobile component is quite ready, check github issues on it.
I think Meteor is ready for building online platforms. If you find that it doesn't play well in the mobile, you can still maintain your Meteor application and create an API on top of it, you can find packages on atmospherejs.com for it (or even use iron:router). That's what you would with Expressjs: create an API to be used by mobile devices.
About your Key Points of Meteor: Scalability - It's possible to scale Meteor although you won't a good article about it but if you take a look at Kadira, Arunoda managed to scale it. Ease of use - It's fairly easy to write a Meteor application in the beginning but in the long run you'll face some problems like I faced. Development efficiency - My experience in team wasn't that positive, we had bad architectural design choices and some bugs because new developers (even experienced ones) don't get Meteor, example: Instead of using Collections allow and deny rules, they use Meteor.methods for everything which doesn't translate to security. Some even publish the entire database to the client and say: Works great on my localhost :D
About express: I have little experience on it but the comparing it with Meteor, it's not fair at all. Meteor doesn't not the same purpose as Expressjs.
A comparison with MEAN Stack would make much more sense: http://mean.io/
Express.js is quite different from Meteor.
Meteor tries to give a good framework for everyone taking a lot of decisions (hopefully good decisions) those are usually uninteresting from the application development point of view: what transport library to use, how to synchronize data, how to build a reusable API, security, CRUD operations with the database, etc.
Instead Meteor gives you a unified experience across the stack. Since it has so much power control over backend, transport, interfaces, front-end, build tool chain - it can build a lot of neat features those would be so much harder to glue together from Mongo+Express+your favorite front-end framework+socket.io+grunt/gulp.
Read Socket.io's creator's blog on how hard it is to deliver good user experience in single-paged apps these days: http://rauchg.com/2014/7-principles-of-rich-web-applications/. Meteor does a lot of it +more. (except for the server-side rendering and predictions, at least right now).
Think about how many security holes you will have if you pick the abstractions too low level in hope to implement everything right.

How to decide which framework to use for node? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
So we've been using node for quite a while now and I must say, with the growing community for node, people are developing lots of awesome modules and frameworks too. But as we are working on more and more projects, I get confused sometimes as to which framework to go for. So far we've used following frameworks:
Express - One of my favorite frameworks for node and this was the first too when we started making apps in node.js.(I think this also was the first to gain so much popularity). We do have issues like callback hells but provided that the routing and the code organization is much more cleaner, we were pleased to use it.
KoaJS - Another one from the TJ and team, and this is just awesome! Using ECS 6 when any of the browsers hardly support them. (Specially when it helps you remove the callback hells completely). We had some issues with https compliance with Koa and had to re-write the entire server using hapi and also the fact that it depends on the unstable version on node for now.
Hapi - This is our most recent adoption and haven't done much with it, but the most fun part of this is the joi module that helps us validate requests(easily) even before they hit the actual server and also the automated docs generation.
Synth - I haven't interacted much with it, but while reading the docs, I came across
Use services and dependency injection just like AngularJS but on the
back-end!
which is awesome, but since it's in beta still, I'm not thinking of using it anytime soon.
So when trying to go for a framework for your app, Is there any specific set of features that one framework is good at and the others don't? Because honestly, we adopted most of the frameworks just with the intent of trying them out and apart from syntax differences (except Koa that uses ECS 6) and how they handle routes, I couldn't find much differences among them.
So my question is should we adopt any framework just by looking at it's popularity(which is what people generally do) or there is some checkpoints we need to consider while doing the same?
Any suggestions/help appreciated.
Edit
I wanted to add on that my intention for this question is to find out the key points to consider while opting for any of the node.js framework (rather than just depending on it's popularity or how many big names are using it). For the front-end we can easily tell because we already know or have been told the key features that would help development easier(the diff between angular & backbone can be an example) But for the node.js frameworks that isn't any way.
I would request others to consider my edits too.
I'll try and keep this answer as non-opinionated as possible. Please edit and help me improve this. This is a important topic and should get a good answer.
Express.js
Pros
Express.js is the big guy, fairly old and incredibly popular.
Easy to use views
Very Lightweight
Cons
No fancy features
Koa.js
Pros
Lightweight
Koa is the maybe successor to Express
No callback hell, thanks to ES6 generators
Built by the same guy as Express
Cons
Fairly new, not super refined
Uses ECMAScript 6 features, meaning you need Node.js v0.11 (unstable)
Hapi
Pros
Many official modules, but not a ton of third-party ones
Developed by a large corporation that uses it for their own products
Cons
Built by Walmart
Different syntax for specifying routes than Koa or Express.
Itself and all the official modules have weird names
Synth
The first back-end framework specially designed for single-page web applications.
Pros
Designed for being the backend single-page websites, ala Angular.js
API First
Dependency Injection, familiar to those coming from Java
Designed to do a ton of the backend things, allowing you to work on the frontend
Cons
Dependency Injection, disliked by quite a lot of people because Java is the only reason it exists
Very new, currently in beta
Doesn't work well with more traditional websites
More Resources
TechEmpower Framework Benchmarks (limit to Node.js) Benchmarks of lots of web frameworks, currently only has raw Node.js, Express, and Hapi for Node.js.

Grails as single app or different back-end and front end app [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
We are new to grails and are concerned about the following issues:
scalability concerns
Using same back-end for different applications
So sticking to a single grails is good idea or we should separate concerns and even use other framework like node.js for frontend using rest.
Secondly i am not very clear ,where we should put business logic in grail app.Ideal place should be services i suppose
We are examining Angular.js since it seems to faster than gsp pages,current flavour for frontend and integration with grail is also easier.Wanted to check is this correct option or not.
Grails is very well suited fast paced development needs and you will love it when you get basic understanding of it. You can write a badly performing application in any framework/language. One thing I'd recommend is getting a good understanding of Hibernate which is the underlying persistence library. If you understand how that works, it should help you avoid making any silly mistakes at the DB level.
For the first part of your question the scalability of your web application won't really depend on what language/framework you choose to use, but rather how your application is built. You can build a scalable web application in Grails, just as you can build an incredibly slow application in C++. If Grails is the framework you would like to use, then use it; you can always rewrite the slow parts in Java or another fast language, if need be. (After all, that's what Twitter did with Scala.)
In our company what we do is use grails as a client interaction/licensing server and use multiple Node.js servers for analytics. So all what client gives gets stored on grails server and then the functional data is sent to Node.js server cluster for further processing. The analytics data from Node.js server is fetched by grails server using http builder and is used to plot charts and data on dashboard.
//------------- Updating answer for updated question ----------------------
Node.js is server side technology and it doesn't work on front-end i.e. client side
In grails you write all incoming(to server) and outgoing(from server) things in controller.
While all your business logic/computations/DB queries goes into your service methods. Once done send computed data back to controller via return statement and controller will send/show it on GSP.
While regarding your angular JS question I would say you cant replace GSP with angular JS as GSP is nothing but a server side scripting in which you write grails/groovy/java code in script-lets form along with normal HTML code and it gets rendered into full HTML and gets sent onto client side. So you can only enhance its functionality by adding a front end MVC like Angular to it and can't replace it. And functionality wise Angular is superb framework. Add any kind of JS to your GSP's and enjoy them.
P.S. - You'll start loving GSP once you get hang of GSP tags which are so easy to do many things.
To keep the things simple: you can build the whole app-stack using Grails. You can split/unite your services in any appropriate manner. You can build an app with any crazy JS-frontend framework out there, or build an app with a REST API only. Or mix them together.
Moreover, you can easily modularize your app by using plugins. The good thing about them is, they can run standalone, meaning that you can use the service as a part of your app, or run the service outside of the app, it's your decision and not framework limitations!
UPDATE:
Grails has a very important point: Groovy is a JVM language. That means, you can use ANY lava library in the world directly in your project. Also your developers must learn only Groovy, as it used everywhere throughout the application, be it domain-classes, services or GSP.

What are the basic differences and similarities between Angular js and Express js? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
So I am a bit confused in regards to the aim of Angular js vs Express js. From my understanding we use Node.js to serve Angular js but we are not entirely limited/forced to use Node.js for serving it. Express js on the other hand seems like it accomplishes something similar to the more traditional MVC framework.
So is Angular Js a type of non-server-specific MVC framework? and does this limits Angular js backend server capabilities or ease of use?
Express
Express is a web framework, inspired by the Ruby project 'Sinatra'. It's one of many web frameworks in Node
AngularJs
AngularJS is a MVC framework that defines numerous concepts to properly organize your web application. Your application is defined with modules that can depend from one to the others. It enhances HTML by attaching directives to your pages with new attributes or tags and expressions in order to define very powerful templates directly in your HTML. It also encapsulates the behavior of your application in controllers which are instanciated thanks to dependency injection.
AngularJS helps you structure and test your Javascript code very easily.
Answer to your comment which i saw.
So would you say they are for different purposes client-side vs
server-side implementations and therefore mutually exclusive or do you
see a scenario in which one could use Angular Js, Expression js, and
Node.js in the same application?
Yes, they are for different purpose, but they both are MVC based framework. Yes, we can where you can use Angular router, views and controller for front end and use express as your base model to communicate with MongoDB or anyother Database. But yet again its your choice, as you can achieve everything without even bothering AnagularJs.
Adding more.
AngularJS is a beautiful client-side framework, highly testable, that combines tons of cool stuff such as MVC, dependency injection, data binding and much more. If you want to fully take advantage of the AngularJS features you may consider coding the server side using a RESTful approach. you can take advantage of their resource factory, which creates an abstraction of your server side RESTful API and makes server-side calls such as get, post, put, delete etc.
You can use AngularJS for defining your client-side behavior[Views and Controllers] and then write up the REST-Services which AngularJS client can interact with. The client runs on the web browser[AngularJS], and does asynchronous communication to the server. The server[ExpressJS] then retrieves and stores data for the client.
Maintaining a clear distinction between client and server makes the app easier to maintain and test. Adding to it, it all depends upon what you are trying to build and how best you can leverage both of them.
AngularJS is a javascript framework that runs on the client side, on the browser; it has a router, yes, but is only for the client side (in fact, it uses the hash as default).
On the other hand, Node.js runs javascript without a browser, as a service and it can run frameworks like Express, dealing with HTTP and so on, making it a nice web server.
Similarity is both are JavaScript frameworks which means you can write your server side and client side logic both in JavaScript if you were using them together.
Differences would be AngularJS is a client-side framework and Express is server-side framework.
Express can be used with any client-side framework and so can Angular be used with any server-side framework.

Resources