i'm developping an app with the ionic framework and a jee + postgresql backend.
I'm actually doubting about the HTTP Requests :
Should i use only jsonp? Or add an Access-Control-Allow-Origin * in my HTTP headers ?
Of course, both of these solutions are working, the second solution seems unsecure to me but i'm not use to mobile requests (without domain-based call/endpoint) so i don't really know what to choose ... i might also miss some other way to do the job ....
Do somebody know how to properly build this kind of communication ?
Thanks you !
If you want to be very flexible and very secure, you might want to implement a JSON Web Token solution. The server issues json web tokens to your users. You can define who gets a token. Then the token must be attached to every request from ionic to your server. The server determines what data to return, if the user is authorized.
For JEE there is this package. For ionic the auth0 repositories are a good study start. You can find many examples online. I think that is the most elaborate solution available, despite might not be easiest to implement.
Related
I'm asking for some help, maybe I'm missunderstanding some concepts and finally I dont know how to solve this requirement:
I have a create-react-app application deployed using Netlify.
Also my backend is deployed on AWS ECS.
I'm using AWS route 53 for routing frontend and backend to myapp.mydomain.com and api.mydomain.com respectively.
A client has a specific network config so only *.mydomain.com requests are allowed for his organization.
The problem resides on frontend because it uses many libraries, for example:
Checking network tab on browser I noticed thw following:
I'm using a giphy library, so it makes requests to api.giphy.com.
I'm using some google stuff like analytics and fonts, so I assume it will make requests to some google domain.
And so on...
As I understand this kind of fetches will be blocked by client network "firewall".
Adding more rules to said firewall is not an option (That was my first proposal to client but they only allows *.mydomain.com and no more)
So my plan B was implement a proxy ... but I dont have any idea of how to implement such solution.
It's possible to "catch" third party fetches, redirect them to my backend like api.mydomain.com/forward, so my backend would make real fetch and returns response given by said fetch to frontend?
The result desired should be, for example again, all fetches made to api.giphy.com should be redirected to api.mydomain.com/forward/giphy and same for all third-party fetches
I Googled a lot and now I'm very confused, any help is welcome!! Thanks devs!
I have a stateless header based authentication API endpoint. I would like to build my website that will be requesting data from it. Being a stateless authentication and given the fact that the server does not maintain any sessions, How would I go about implementing a Login Flow for the same. I am building an AngularJS SPA and would be using multiple routes in my application. What would be the best way to approach the authentication for a production level service. I came across AngularJS cookies, but it is not really that secure(I am concerned about a possible Cookie Hijack). What are my options here? Any help will be really appreciated as I am completely new to login flow.
I will be sending the headers over SSL for obvious reasons. But how prone am I to an attack by doing this? https://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https There are weaknesses pointed out here, but how do I overcome these? Any help will be really appreciated.
PS: I understand that there are better ways to implement it currently by making modifications on the server side, but if I were considering this current scenario of how everything works(explained above) how would I go about with it?
I would suggest using JSON Web Tokens (https://en.wikipedia.org/wiki/JSON_Web_Token).... check out https://github.com/auth0/angular-jwt for a ready to use solution for Angular. You just need to setup the server side part.
I used Riak(http://basho.com/riak/) as rest service and Angular on client. When I try to use method "PUT" then first request is OPTION, but Riak doesn't know how to properly respond for this.
I found some clients but all of them are made to run on server, not sure about Node.js client like this http://riak-js.org/
Can I make it working from web client?
Maybe Riak was not meant to work with web clients directly, then I'll try something else.
I don't know about Riak, but the OPTIONS request suggests that you're trying to perform a cross-domain request (Angular running on domain "aaa.com", Riak on domain "bbb.com", although it can also even be just a different subdomain or port number).
My guess is that Riak doesn't support CORS, in which case you need to look for an alternative (a simple server-side proxy might be all that you need, although please consider the security impact of exposing Riak directly to browsers).
I have found js gui client for Riak https://github.com/basho/rekon, but it works directly from riak, that's not what i wanted but maybe i can use same solution also, or make proxy on server
I've picked up Angular and am now developing two separate applications, the frontend, Angular app, and the backend, the Laravel app.
As of now my backend app is just an API endpoint that handles requests, database interaction, logic, validation, etc.
However, what stops someone from requesting /api/users/1 and getting that data?
Right now there is nothing in place that prevents this from occurring.
What's the best way to prevent this from occurring and verify the request is sent through the application and not through something like http://hurl.it from some random user?
You should first evaluate what routes need to be protected, and who should have access. Sometimes it might be fine to leave them open to the public.
Once you've figured that out you have a few options. I personally lean towards the oAuth 2.0 protocol. Some people find it to be over kill. Then there is also WSSE, I personally feel like today there is far better resources explaining the use of oAuth and would probably be easier to follow.
You can google around for oAuth server libraries for laravel. One such is: https://github.com/lucadegasperi/oauth2-server-laravel
You will also probably want to enable CORS if your angular app is on a different domain from your api. IE: api.example.com (holds api). And example.com is where your app lives.
For CORS laravel also has some packages, one such being: https://github.com/barryvdh/laravel-cors
I have a backend REST app. I'm presently developing the frontend app. Now i have a confusion as to how to setup the frontend app.
Case 1 - Plan to use Spring and have a frontend controller layer that takes care of calling the REST services. But i need to have models and POJOs setup same as in the backend to parse the JSON response. This seems like a overload on frontend. How to go around about this?
Case 2 - Plan to use Angular.js. Then i need to have all my REST URLs in the controller.js which is completely accessible for anyone. That way im totally exposing my REST domain, URL and request format. Is it not a security threat? How to go around about this?
Can you please tell me which case is better and secure and how to resolve the problem attached with it?
Secure your REST endpoints using a scheme like OpenId or OAuth or something else. Spring and numerous other web app frameworks have components to help with such authentication.
AngularJS is a client side framework. You can use Angular along with Spring. They are not mutually exclusive.
Finally, any http request (including RESTful http requests) invoked on a client is easily accessed simply by viewing the network traffic. Chrome, Firefox, along with other browsers provide tools, out of the box, that make this very easy to do. All the more reason to secure those REST endpoints.