It seems App Engine dispatch rules are configured at the project level, totally static, and must be defined as a complete configuration? If so that is really inflexible so I'm hoping that's not the case.
I want to be able to dynamically create/deploy/destroy app engine apps with a custom domain - how is that even supposed to work?
For example user1 is working on appOne. They should be able to deploy their own instance of appOne to test. user2 is also working on the app and they should be able to deploy their own instance and these instances should be accessible at paths they choose.
How do I automate these deploys? I want to deploy an app and add a dispatch rule dynamically. So there is a script that can do this ./deploy --instance-name=user1-test. An instance gets deployed and it's accessible at mycompany.com/appOne/user1-test.
How is that possible? Is there an API call you can make to just add a route? Or in order to do something like this you would need to programmatically generate and apply a dispatch.yaml? That would be terrible and probably not reliable because it would clobber all existing rules every time it is applied.
Edit
Maybe there is some advanced URL rewriting that might make this kind of dynamic thing possible? So I could say match URL mycompany.com/appOne/user1-test to a service named appOne/user1-test? That's all I want really.
You can use the App Engine Admin API to update the dispatch rules dynamically.
The dispatch rules are part of the apps resource.
Take a look at this link for more information.
Related
I'm trying to use react-facebook-login to authenticate users, but I need to access the user's email. This should be doable via the scope parameter, but it doesn't work. There are multiple issues about this subject on Github going back years that haven't been addressed.
My question is - is there a way to modify/override this package to accommodate this (it appears the scope parameter is simply not added to the popup url), since it looks good otherwise? I have no idea how to patch or override node modules.
Alternatively, what is the absolute easiest way to implement this - is getting dirty with the Javascript SDK the only way, or are there better packages?
<FacebookLogin
appId="myappid"
autoLoad={true}
onClick={componentClicked}
callback={responseFacebook}
scope="public_profile,name,email"
/>
The Package has no issue your app does, you need permission to access such information, while in development you can get the the information's just fine but be aware in a recent change in facebook graph api now in order to access user email you must ask for email Advanced Access you can do that by going to your app dashboard
https://developers.facebook.com/apps/appId
in the left panel click App Review and select Permission And Futures there search for email and click Get Advanced Access Clear your browser cache and you good to go
I'm using this package instead which works as intended:
https://github.com/seeden/react-facebook
So currently in the project we have a collection of documents that don't require authentication to be read. They are write/update protected, but everyone can read.
What we are trying to prevent is that someone looks at the firebase endpoints and somehow manages to scrape the entire collection in json format (if this is even possible). The data is public, but I want it only to be accessible from our website.
One of the solutions we could think of was SSR (we are already using Next.js), but implementing SSR just for this reason doesn't seem very enticing.
Any suggestions would be appreciated.
EDIT:
Let me rephrase a little bit.
From what you see in the network tab, is it possible to forge/create a request to Firestore and get the entire collection instead of just the 1 document that was intended?
The best solution in your case is SSR. I know, it could sound as not enticing, but well, let's reason on when we should use SSR, then. In your use case, there is an important requirement: security. I think this is already a strong enough reason to justify the usage of SSR.
Also, creating an ad hoc service account for the next.js app, and securing the data with custom rules that allow the read of your data only to that service account, would only improve the overall security level.
Last: reading the data server side should make your site work a little faster, even if it would be difficult to notice, because we are talking about milliseconds. Notice that your page, as it is now, will need to be loaded, before the request to Firebase could be sent. This is adding a small delay. If the data is loaded server side, the delay is not added.
is it possible to forge/create a request to Firestore and get the entire collection instead of just the 1 document that was intended?
If you want to limit what people can request from a collection, you're looking for security rules. The most common model there is some form of ownership-based access control or role-based access control, but both of those require some way of identifying the user. This could be anonymously (so without them entering credentials), but it'd still be a form of auth.
If you don't want to do that, you can still control how much data can be gotten through the API in one go. For example, if you in the security rules allow get but not list, the user can only request a document once they know its ID. Even if you allow list, you can control in rules what queries are allowed.
I think one approach could be writing a Cloud Function that retrieves this public data using the admin SDK. Then, you could set a rule that nobody can read those documents. This means that only your Cloud Function with the admin SDK will have access to those documents.
Finally, you could set up AppCheck for that specific Cloud Function, this way, you ensure that the request is coming from your client app only.
https://firebase.google.com/docs/app-check
I would like to add functionalities depending on whether or not the user logged in is the administrator but I don't really know which condition (for conditional rendering with delete buttons etc) I should use to check if the user is the admin or not. Is it safe to do it based on the id of the user ? In the first place, I thought about testing the user in every component I want him to have functionalities, with a state called "user" using recoiljs to get access to the user in the whole app but I'm afraid people could change the state with the react tool extension and then pretend they are the admin and so delete articles and stuff... What's the best way to test if a user is the admin or not using firebase authentification in a react project ?
It's never safe for client code to assume admin responsibilities without absolute enforcement from your backend. It's unsafe because client code can be compromised and might not work the way you expect. And it's running on a device that the user controls fully.
Client code can check some indicator to see if the user is admin (in whatever way you find suitable), but the final check needs to happen on your backend, either through security rules (if you're using Firebase products like Realtime Database, Firestore, or Cloud Storage), or in code running on a secure backend, including products like Cloud Functions.
I'm looking for information on how to implement secure pages using ExtJS 4. By secure pages I mean the user will log into our website using Siteminder (SSO) and so we will have the user's identity. Then we would determine what roles the user would have by making a database/LDAP call and only render those views/components that the user has access to.
Several questions come to mind:
1.) Of course I would expect we would do the authorization check prior to rendering the pages on the server-side, so how do you do this prior to firing Ext.onReady()? I need to have the ExtJS wait for the response from the server?
2.) What is the best way to organize a page's components where the case may be someone could see a particular component and another person cannot?
3.) How do I deliver the resulting page (i.e., the pieces the user has access to) to the client?
TIA!
If you're working from a Java background and are comfortable using Spring, I wrote up an approach using Spring Security here. This will allow you to plug-in any authentication mechanism you want. The main difference is that instead of using an index.html to bootstrap the application, I have a JSP so that the Spring Servlet Filter will fire for authentication. The Ext JS app blocks until the user is authenticated and the user's roles/permissions are provided.
Use a server side technology to pre-process authorization by putting your JS App launch script into a JSP/GSP. What this does is forces server side components to kick off first and then render the HTML/JS/CSS to the client. For full RIA app use index.gsp(or jsp) and the your URL stays "domain/contextroot" .
You can interrogate access privs to content via ajax request to server or alternatively you could set JS variables via again JSP technology that is processed first before the rest of the client response is returned.
< g:javascript>
//global env var definition
var env = "${System.getProperty(Environment.KEY)}";
< /g:javascript>
Both of these are not 100% safe as client side code can be altered. The real security enforcement must be handled on server side when data is submitted for processing.
'3. Easy way would be to hide/show views etc based on 2. above. There are also some experimentation out there with modularizing the client side MVC application by lazy(manually) initializing controllers that may or may not be needed.
Hope this helps.
DB :)
I am currently experimenting with the following solution. Although it will only work for apps with a rather simple set of users, it could be of some help to you.
To begin with, user authentication is done without extjs, using a simple HTML/CSS page. Once the user logs in, its details (user id, role) are saved into the PHP session. And then the page redirects to one of two extjs apps.
One app for normal users (I'll call them clients), these are people who's client side JS does not include any admin functionality. The other app is for admins.
Both apps have their classes inherit from base classes. So we have, for example, base.mainMenu from which both admin.mainMenu and clients.mainMenu inherit. The only difference in the app.js script is the controllers loaded, and per extJS 4 dynamic loading module, only the related views are loaded (ie, seen on the client side). In my case, all pages load dynamically anyway, so my users can only dynamically load pages in their mainmenu.
The admin app blocks certain features using a global JS variable that includes the user's role. So for example, the hiding of an 'edit' button from moderators (an admin group with less rights) is done once the view is loaded (in practice this is actually done by not loading a plugin that allows editing on the view).
To wrap it all up, any call to the server checks whether the session user has rights for the requested operation, so regardless of client side scripts, server operation can only be performed by people with the appropriate rights.
To summarise, you have 3 different strategies that you can mix-and-match:
Loading different apps for different users. If your classes all inherent from base classes, this is easier than maintaining 2 or more completely different apps.
Using a global JS variable to disable/enable certain features for certain users. This is only good if you don't have a problem with the client side loading features that are then disabled (but still seen by debuggers).
Regardless of anything, all server-side calls are checked against session variable.
check out Role-based access control. I use Yii's database-based RBAC, and have a php script that returns the rbac rules in json format when ext starts up
on the client, the best bet is to simply hide or disable functionality that is not allowed.
on the server, you should throw a 403 http error if the user is not allowed to perform a function. handle ajax exceptions in ext and check for 403s.
I have been struggling all day with an issue. I am sure there must be some easy solution that lots have already implemented as it looks to me as a basic setup.
I am building an app with GWT and appengine using requestfactory. This app has some "pages" (they are actually MVP views) that everybody should have access to. It's like the home page and a couple of views where the service we provide is described. Then if you want to use the service you have to login (with google accounts and all that). Only being logged in you have access to the rest of the views (pages) in the app. The question is, how to handle this?, the fact that some pages and some requestfactory calls are public and some other have to be available to those that have logged in?
I have already discarded the auth-constraints tags in web.xml because they work with all or nothing.
The next alternative was to use servlet filters (as the expenses demo does). That could work, but only if the "open" or not secured pages didn't need to access any data from appengine datastore (and I don't want to close that door, maybe in the future I want to show status or number of users, etc etc). The reason for this is that with request factory you only have one servlet so if you put a filter you shut down all comunication with appengine if the user is not logged in.
I was thinking of implementing this filter, with requesfactory for all the stuff once the user is logged in and also implement some RPC services for the data i might want to display in the "home or information pages" that i might need to retrieve from the datastore. However it looks a bit overkill for me.
Another alternative is to implement a check that the user is logged in all the request factory service methods that i want to protect. But that doesn't look to elegant either...
Anyone had the same problem? any ideas?
I'd appreciate any help on this.
Thanks,
You say that the auth constraints are "all or nothing", but that's not true - they're per-url. See here for details. Also, your connection of servlet filters and datastore access is a non-sequitir - the two have nothing to do with each other.