We are implementing some of the services in AWS, but the end user is not aware of this implementation. So when the end user hits the end point it comes into our Zuul gate way. Now dynamically we will be able to check if this end point is implemented in AWS or not. If its implemented in AWS, we are calling the AWS using webclient and getting the response back from AWS into this Zuul service. Now the issue is the same service is running in the local server as well and the response from the local server is send to the user. How can we disable this call to the local server and send the response that we received from AWS via Zuul to the end user?
Related
I came across this issue when consider the fact that my react-application needs API keys to access a backend it is using for CRUD operations on a secured database:
https://create-react-app.dev/docs/adding-custom-environment-variables/
WARNING: Do not store any secrets (such as private API keys) in your React app!
I want users authenticated into the application to be able to perform these operations without necessarily having the API keys exposed to the end user.
Common consensus seems to be create a mid layer, ie an express server that handles enriching/forwarding the request properly. But at that point, the same issue occurs if I want to authenticate the web app against the midlayer, ending up one way or another exposing the original secured API backend.
Is there a way to guarantee a "handshake" between the front end application and the original secured backend? If I need access to the code base to do so, can I do so via a mid layer instead
You have to disable the CORS in your express server.Thats means except your front end, no other client can send request to your Express server. And then, though your authorizationfor your express server is exposed but its not gonna help unless the request is from your front end app.
As part of distributed deployment on AWS, we have moved all static web assets, including angularjs files and dependencies to an AWS S3 bucket (static website). Angularjs controllers have complete API URL pointing to a nodejs server running on an EC2 instance. I am trying to figure out what is a good way to prevent Nodejs server from processing any HTTP requests other than the ones originating from angularjs controller.
Option -1 ) I cannot use S3 IP address for obvious reasons as incoming IP address for EC2 security group hosting the Nodejs server.
Option -2) I can use VPC Endpoint, but its more of a solution to allow EC2 in private subnet to access an S3 bucket.
Option -3) I can have another EC2 instance hosting a reverse proxy which the S3 angularjs will connect to. This reverse proxy will forward the request to EC2 instance running nodejs.
Option -4) Use AWS Nat Gateway, do not think its much different from option # 3.
Need folks to chime in with their thoughts keeping in mind security.
In case of AngularJS, it's all JavaScript. Your code is run from the use's web browser, not S3 bucket.
You can implement this by validating the Origin HTTP header. But that can be easily hacked.
The best possible solution is provide a service which generates some kind of session token, add it as part of all requests in some header field in AngularJS while sending requests to your NodeJS server and validate it for every request.
I am building a real time web application with angular js, express js and passport js.
The passport authentication is working fine on the main server. I have written a second logging server also in express js and want to use this to simply receive http POST requests from an angular js service. This will enable client side exceptions/errors to be recorded and available for debugging purposes etc. I don't want to introduce a dependency on logging in the main server so to have this logically separated.
I am thinking about introducing a redis store for passport/express sessions so that the logging server is also subject to authentication and sessions can be shared across the two servers. I am not sure how to implement this session sharing though.
In this scenario what is the best practice is for authenticating across the two servers - I don't want the user to have to log in twice.
You nailed it down. redis store yes. There's no need for manual implementation. Have both servers use same instance of redis server (i.e. cloud redis, installed locally on only one machine etc). express sessions have the ability to use redis store (take a look at connect-redis package). Sharing is accomplished automatically since both stacks will communicate with same redis store.
The way it works in details, when the user is auth the connect.sid cookie gets written to the browser. then subsequent requests (i.e. to second server) will transmit this cookie. second server sees the SID and looks it up and finds it and retrieves the same session from redis.
It's hands off implementation.
I am creating a web application using GAE/GWT. Front end GUI is a web client and the server is a RESTFUL server both running in GAE in different domains.
I am using json with padding to communicate with the server but discovered I won't be able to send a PUT/POST/DELETE request.
My application will be used to mainly used to query data (query: 85% of cases, modify data: 15%). All requests will be authenticated.
I am considering the following options.
1) For querying use JsonpRequestBuilder, for modifying create a proxy in the web client server side and hit the REST service through this proxy. Use GWT RPC to communicate to this proxy.
2) Make every request as a GET request in my REST service (including those that modify data) and use jsonp directly from web client.
I would prefer option 1) but option 2) seems less work to do.
Should 1) be my preferred option ?
Are there any problems with 2) given all my requests will be authenticated. ?
Is there any other easy approach to solve this problem ?
Regards,
Sathya
The simplest solution is to use CORS which allows you to send requests two different origins. But it is not so widely spread (check caniuse), so if you have to support IE8-9, it will not be enough for you.
In your case I would try to implement dual solution (e.g. CORS + server proxy). If browser supports CORS - send the request directly to the target server, if it doesn't - send request via proxy.
Sorry to ask but what is the advantage to have your client running on a different domain ? From what I understand your client's server will do nothing ...
If you are not the "owner" of the REST backend, maybe this backend should developp an authorization system for third party applications, like oauth2.
Then your application can talk backend to backend with a secured connection. You can use scribe to do that on your backend.
I was unable to access my Backend Instance at custom domain.
For example, I have an app and I access the Normal Instance sucessfully at:
http://www.[my_app_id].appspot.com or http://[my_app_id].appspot.com
And I have a backend config name=test and I accessed Backend Instance successfully at:
http://test.[my_app_id].appspot.com
In admin interface, the "Instances" link show the instances of Backend and Normal Instance separately. The content show is the same, but is easy to see when a request go to the Backend Instance and when go to Normal Instance.
Then I configured the wildcard "test" in Google Apps to access my Backend Instance at a custom URL:
I continue access the Normal Instance sucessfully at:
http://www.[my_domain].com or http://[my_domain].com
But request at
http://test.[my_domain].com
redicted to the Normal Instance instead of Backend Instance.
The doc's said it should work but I cann't at this moment and I need uses custom domain because my app is multitenancy.
What I do wrong?
Your backed is really supposed to be accessed by the front end, as I understand it.
So when your application front end makes a request to it's back end (e.g. via a URL), it'll work as it's all done internally.
Have you set your back end to be publicly accessible?
https://developers.google.com/appengine/docs/python/backends/overview#Public_and_Private_Backends
Backends are private by default, since they typically function as a component inside an application, rather than acting as its public face. Private backends can be accessed by application administrators, instances of the application, and by App Engine APIs and services (such as Task Queue tasks and Cron jobs) without any special configuration. Backends are not primarily intended for user-facing traffic, but you can make a backend public for testing or for interacting with an external system.
I don't know why the redirection is not working, but perhaps you should modify your question to show what problem it is you are trying to solve here and get an answer to that instead?