I have a very simple webpage created in angular, with no backed. Now I would like to store some very simple user statistics data in some way, without involving a backend. File, database or some other thing that I can access from clientside.
I had a look at MongoDB which looks very cool, I can access that via a REST api which is perfect. Only problem here is that the api is hosted on https, which my domain are not. That means I cannot connect to the api because of CORS error. And I would like to avoid buying an SSL certificate.
So do I have any options here? Storing data from clientside without a backend and SSL?
Thanks!
The solution was actually to go with Mongodb, and add a free SSL certificate from https://letsencrypt.org/
Related
The following is the architecture of my Web application.
Web UI(Angular JS) running on nginx
Back-end data access layer (Java App) running on glassfish app server
My question is, how can I prevent a valid user from tampering or manipulating the REST service JSON request using some proxy tool.
One thing that I thought of was to encrypt the JSON but this will still expose the public key and the source code of how to encrypt it since its done on client side scripting. Is there a better way of doing secured JSON request?
P.S: I'm not talking about "Man in the middle Attack". This is not related to session hijacking. This is about a valid session user tampering the POST request using tampering tools.
You can't.
Anything that runs on client-side is exposed. Almost everything there can be tampered.
So your best bet is that you have a strong server-side validation before you process the data from the client.
I've been googling the entire afternoon and I'm still not able to figure out what's the best solution to implement the following:
We have build a webapp in AngularJS that consumes interacts with REST API build using Symfony. The app allows users to register, login and do stuff. Now, these users need to upload very big files (>60GB) into their personal folders. A separate VM have been setup for this purpose (data server), located in the same VLAN as the frontend, backend and the MySQL db serving the data. The data upload will be done using either HTTP (using JQuery File Upload plugin) or an FTP client.
I'd like the users to authenticate into the data server (both via FTP or HTTP) using the credentials they already have for the app. For the FTP case, I'll use PureFTP as FTP server, which validates user/pass directly from the MySQL. As far as I know, this is the most convenient solution, but criticism is accepted.
For the HTTP upload, we could proceed in a similar way: POST user/pass, validate against DB and return true/false. Since all the communication will happen within the VLAN, security issues are less problematic. Nonetheless, I believe much more sophisticated solutions have already been developed.
My first thought was to build an OAuth server on Symfony and then authenticate the uploader (and future services) with their respective clients. Is this a right approach or is this a too complicated solution?
Alternatively, a service in the dataserver could validate user's credentials sent by the client against the REST API, receive a JWT and generate a new session for that particular client to list and update files on a particular folder. I'm not sure how to build this middleware though, do I need another Symfony instance or a simple PHP script will do the trick?
Please do not hesitate to share any thought you have on this. Any point of view will be much appreciated.
Thanks a lot
I used Riak(http://basho.com/riak/) as rest service and Angular on client. When I try to use method "PUT" then first request is OPTION, but Riak doesn't know how to properly respond for this.
I found some clients but all of them are made to run on server, not sure about Node.js client like this http://riak-js.org/
Can I make it working from web client?
Maybe Riak was not meant to work with web clients directly, then I'll try something else.
I don't know about Riak, but the OPTIONS request suggests that you're trying to perform a cross-domain request (Angular running on domain "aaa.com", Riak on domain "bbb.com", although it can also even be just a different subdomain or port number).
My guess is that Riak doesn't support CORS, in which case you need to look for an alternative (a simple server-side proxy might be all that you need, although please consider the security impact of exposing Riak directly to browsers).
I have found js gui client for Riak https://github.com/basho/rekon, but it works directly from riak, that's not what i wanted but maybe i can use same solution also, or make proxy on server
I want to deploy my AngularJS app which access RESTful web-services onto an aws and I am wondering if I really need a server to serve my AngularJS files.
I can server them as static files or use something like NodeJS but do I really need one?
What are the advantages/dis-advantages of using a server in this scenario?
If your app is small, it's really not a problem if you only access to an API.
But if you want to login via other services where you have for example a public and secret token it's better to work with a server who use cache this datas from your users (maybe it's what your aws is doing).
If you want to access RESTFull Web Services from AWS, you need to put your angularjs files in a server.
The server will give access to resources, if the request is from http protocol. It will deny the request to serve if the protocol is file.
I am sending HTTP requests from GAE to MongoLab in the form of:
https://api.mongolab.com/api/1/databases/rival_testdb/collections/testCollection?apiKey=someKey
If this request was coming directly from client side, I would be very concerned. But since this request is coming from inside a servlet in GAE, is this a security concern? How could I make this more secure if possible?
I would like to use MongoLab if possible, but their API only allows for putting the API key directly in the requesting URL. So I am stuck using a URL like the one above for all API requests.
As long as you can secure the API key on the server you should be good. You do not have to worry about it being sniffed on the network as all the communications are over HTTPS thus encrypting the request string and the apiKey along with it.
-will
This is a valid concern for most public services.
Specifically for MongoLab, this discussion is present over here: https://support.mongolab.com/entries/20269612-REST-api-permissions-and-security-best-practice and it does not look like the security additions that they are talking about has been released in public.
Do check out to the link.
Having said, I am assuming that the only way that you are accessing the Mongolab API is from within your GAE Application? That at least makes it more difficult for anyone to sniff out the url from your application.
A good solution would be for MongoLab to allow a HTTP Header to be inserted before your make the REST call. Here you would some ID that identifies that it is your GAE App. And then MongoLab should be doing a check for that before permitting the call to do its work.