[NodeJS]Is my backend code secured? - security

I'd like to create a simple site on NodeJS. For example, it has two files (app.js - main application file) and router,js (a url file). I'd like to know - if it possibke for anyone just to access mydomain.com/router.js to get the source code of my application? I'm asking 'cause for example in PHP you cant just access to php, as you know server just gives you the result of working of this PHP-file, but not the file itself. So, how to make my nodejs-app invisible for public access? Thanks!

I make sure that all files for Node.js are never in a path that is served by another web server such as Apache. That way, there is little danger of the source ever being served by accident.
My node program's and files go in /var/nodejs with a sub-folder for each application in Node. By default of course, Node will not serve ANYTHING unless you tell it to.
At the root of my Apache configuration, I make sure that ALL folders are secured so that I explicitly have to enable serving on any folder structure even under the /var/www folders that I use for all Apache sites.
So you are pretty safe with a default setup of Node and Apache as long as you keep the folders separate. Also Node will not serve source code accidentally, you would have to set up a Node server that read the file as text and wrote it to the http stream.

That depends on how you are using Node.js and what you are using for a web server in front of it. Unlike PHP running as CGI or as a module in Apache, node and the node application itself is a server.
If you have a webserver with your node source directory exposed then the url you provided in the question will most likely result in your source code being served. Even if you were using Apache and proxying to node, there is usually no output filter involved. Instead requests are passed to the backend node server which interprets them.

Related

Are the security implications of installing NodeJS in the public HTML folder?

I'm running NodeJS for my server-side javascripting, but serving my pages with Apache.
My pages currently reference Socket.IO locally, in that they load the node_modules/socket.io-client/dist/socket.io.js from the /var/www/html
The NodeJS index.js file also resides in /var/www/html which has become a problem for me.
Can I move my NodeJS index.js file to var/www so it is no longer publicly accessible, without needing to move node_modules from var/www/html which Socket.IO is relying on to be publicly accessible?
When using Node.js to serve the Webpage:
Your servers root directory is typically not publicly visible. Requests to your server get handled by the routes you set up in the index.js file. By default, no files are accessible. However, if you need a public folder (e.g. for the favicon file or an index.html file), I would recommend creating a subfolder in your root directory and use for example express to make it available.
When not using Node.js to serve the Webpage:
If you need Node.js for client-side logic, you should just use normal javascript (for example this in the case of WebSockets). Node.js is a serverside application where you run javascript on the server. So on the client-side, there is no need for Node.js. If you need certain npm packages, SubStack on GitHub has a module called node-browserify. It will compress and bundle your modules and deliver it as a single js file, but you use it just like Node.js.
If you need Node.js for server-side logic, then there is no need to make it publicly available and you should change your current server configuration to not make it accessible from the browser.

How are Express.js files not exposed when deployed to the server?

This may seem like an odd/broad question, but how does a server know not to render Express.js files and not to expose the content similar to how anyone can see a javascript file, and read the script being executed. Do node servers like Heroku protect them ? Sorry just new to express and node. Is it similar to how PHP syntax/scripts are hidden and protected in a Apache server?
It depends on the server configuration. On a poorly configured server, the .js files might be accessible.
With a nodejs/expressjs server you define a base folder that contains public files, e.g. public and files outside of that public folder are not visible, because the server doesn't serve them to the outside. If you configure the wrong directory, e.g. ., then the expressjs code files would be available to browsers and would be rendered as-is to them, potentially revealing unsafe data like configuration, passwords and so on. Since the default configuration and all code examples make sure that public is defined as the public folder, the risk of accidental misconfiguration is low.
If you run an apache httpd or other webserver on the same host, you have to make sure that the node application is not inside the webroot of any vhost, otherwise the files might also be visible, because to the apache httpd they also look like simple static files, ready to be sent as-is to the browser.
It is different from PHP files, at least in the case of apache httpd or nginx, because those are usually configured so that PHP files are files to be executed, not static files to be served to the outside. However, if the apache httpd or nginx doesn't know about PHP, either because it isn't installed or isn't configured, then PHP files inside the webroot would also be shown to the public as-is. Display of files for the apache httpd can be prevented using .htaccess files.

Saving and accessing files on a mounted drive in nodejs

I have 3 servers running as a cluster managed by flynn (a bit like heroku) which I can attach a shared drive to so that in theory they all have access to the same files.
However I'm a bit unsure if it's possible to access a mounted drive from my nodejs app to save and access files.
Can anyone shed some light on if this is possible and roughly how I'd go about doing it.
With node.js, your file system path has literally nothing to do with the URLs that your server supports. node.js servers do not serve ANY files by default (unlike some other servers).
If you want an incoming browser request for http://example.com/uploads/test.jpg to read a file from /mnt/shared/uploads, then you have to create a web server route handler that includes the incoming path http://example.com/uploads/test.jpg and then reads the data from /mnt/shared/uploads and writes that data out as the http response.
Depending upon what web server environment you are using, there are helpers to do that mapping. For example, express has express.static() that helps with some auto mapping. But, the web server by itself does not server any files like this automatically.
So, if what you want is that all incoming requests for http://example.com/uploads/* will be read from /mnt/shared/uploads/*, then you can use express.static() to help you do that like this:
app.use("/uploads", express.static("/mnt/shared/uploads"));
This will take any path it finds after /uploads and look for that path in /mnt/shared/uploads. If found, it will automatically serve the content as static content.
So, it would work like this with the incoming URL shown first and the place express.static() would look for a matching file:
/uploads/test.jpg ==> /mnt/shared/uploads/test.jpg
/uploads/bob/test.txt ==> /mnt/shared/uploads/bob/test.txt

Changing localhost server files are served from using Node (Webstorm /maybe IntelliJ)

I'm not sure what I'm missing here, so hopefully someone can help me out. I'm working on a project where we're using Node and in the Run/Edit configurations I've down the following:
Node interpreter: This is the path to the node.exe file
which I checked out from Subversion
Working directory: this is where the "app.js" file is, this is the
path that from the command line you type node app.js and it starts the server
JavaScript file: app.js This is the name of the file that actually creates the server
Now from the main nav bar when I do Run / Run my server the box at the bottom pops up and tells me that Express server is listening on port 3000. Cool.
I can navigate to localhost:3000/myPage.html and I can get to the page just fine.
I added as JSON file to the same directory on my hard drive that myPage.html is in, and I can navigate to that as well by localhost:3000/largeTestData.json.
So the server is up and running and serving file as it should. My problem is that in my Webstorm project, I want to make an AJAX request to that largeTestData file. I do so using jQuery like:
var data = $.get('localhost:3000/largeTestData.json');
data.done(function(data){
console.log('here is your data');
cnosole.log(data);
})
When I do that I get the error (in Chrome)
XMLHttpRequest cannot load localhost:3000/largeTestData.json. Cross origin requests are only supported for HTTP.
and so I look at the URL and I'm seeing:
http://localhost:63342/
Obviously Webstorm has started the server correctly, but when I view an HTML file, it's not using that server (which, of course is why I'm getting the CORS error.
There's some fundamental stuff here which I'm obviously not getting. I need my IDE to deploy to the Web server that it started up, but it's not doing that. Please, someone give me a once over on all the technologies that I'm missing out on here.
WebStrom didn't start your node.js server, but serves static pages by its own internal HTTP server which doesn't know anything about node.js and Express.
The main problem:
When you start your node.js server, it's serving JSON files on port 3000. If you open an HTML-page with the little menu in WebStorm (where you can choose the browser), WebStorm opens the browser with an URL pointing to its own internal webserver running on a different port (e.g. 63342). JavaScript security prohibits loading data from a different host/port Same-origin policy.
It's not WebStorm's fault and you need a solution for this problem in production or you can't go live.
General Solution:
Either you have to ensure that HTML pages and JSON data come from the same host+port, or you can circumnavigate with (a) setting server-side headers ('Access-Control-Allow-Origin: *') as #lena suggested, or (b) using JSONP. Below you find some thoughts using nginx as a reverse proxy so from browser's point of view all requests go to the same host+proxy. It's a very common solution, but as mentioned above, there are other options.
Primitive solution:
Don't use WebStorm to open your browser. Load the page from http://localhost:3000/ and change the URL of the REST resource to $.get('/largeTestData.json'). You'll miss some comfort from your IDE, but you can immediately see that your program is working.
Comfortable solution:
As #lena suggested, there is a way to configure your Express/node.js as a server known to WebStorm. I haven't tried it, but I suppose you can then just press the Run-button and maybe the node.js plugin in WebStorm is as intelligent to know the static-maps in Express and know how to map an HTML-file to a web application URL and open the page in the browser with the URL served by your node.js application. (I'd be surprised once again if this really works magically, but maybe you can configure a mapping from files to URLs manually, I don't know.)
Dirty solution
With some options you can disable security checks, at least in Google Chrome. Then it's possible to load JSON data from a different port than your HTML page. I wouldn't recommend using these options (just my opinion).
Additional Hints
If you do more than just playing around with node.js and some UI fun and you have to serve your application "production-ready", then have a look at nginx to serve your static files and reverse proxy node.js requests from there. I'm using this setup even for development and it works like a charm.
Of course node.js / Express is able to serve static files as well, but IMO placing something like nginx in front of node.js (clustered) bring a bunch of advantages for production sites, e.g. load-balancing, ssl-offloading, avoid JSONP, in many cases performance, easier deployment updates, availability.
To get your code working, just change the URL in $.get() to full URL (including protocol):
var data = $.get('http://localhost:3000/phones.json');
In Webstorm 2016.3 (and probably earlier) there is now another option. Under the Configuration Settings for NodeJS runs, one can manually set the page and port to be loaded via Webstorm's "Browser/Live Edit" settings.
See the screenshot below for settings one can change.

Node Application to run in a sub-folder under Apache

I have a simple node/angular application and I would like it to run under a sub-folder of an apache/php application.
What I mean:
At the moment the node app runs under this url http://www.mysite.com:8080 I need the application to run under http://www.mysite.com/nodeapps/applicationName/index.html
Do I need to change something in my apache configuration except moving the application under that folder?
The node app now is under opt/applications/node/applicationName
I am new to Node.js so please make sure that you explain your solution in details or else I am going to get even more confused :)
Apache simply serves files. However, your node application will also serve files without the need of an extra server. So you don't want your node.js files to be in a folder served by Apache (this will make the source code public which you probably don't want in most cases). Instead, the way to go is to run node.js on a custom port (like the above http://www.example.com:8080) and to redirect from apache to that port like so:
RewriteRule /nodeapps/applicationName/(.*) http://localhost:8080/$1 [P]

Resources