CouchDB _security PUT with angularJS - angularjs

I am using couchDB and angular for a small project. I am trying to make my database more secure and would like to know how to place, or PUT/POST, a new member to the _security document of a database without replacing the existing values. I understand the process of doing this with something like curl however do not understand how to do it using angular without overriding the existing values.
The curl would be:
curl -u admin -X PUT $HOST/database/_security -d '{"admins": {"names":[], "roles":[]}, "members": {"names": ["example"], "roles": []}}'
In angular I have this code:
$http({
url: 'http://ip:5984/guestbook/_security',
method: 'PUT',
withCredentials: true,
headers: {
'Authorization': auth_hash('adminAccount', 'adminPassword')
},
data: {
admins: {
names: [],
roles: []
},
members: {
names: [self.user.name],
roles: []
}
}
})
Like I said the problem is that it is over riding what is already there, would using a different request mean it will not? the only way I can think to do this is to pull the existing _security document to the client, append and re put. surely this would create security issues as well as a large number of http requests being made.

A PUT will overwrite the document and as you mentioned you would have to pull down the existing document before.
The security doc also has no _rev field for versioning which will lead to race conditions when multiple requests happen simultaneously. A slower request that arrives later may then overwrite the change of another request. Jan Lehnardt wrote a nice article regarding conflicts.
Did you take a look at the users-db of CouchDB? It is build into CouchDB designed for the authentication of the users an application has. You can use the users-db to create users for your application without altering the configuration of admins and members (which is dangerous from a client for a guestbook).

Related

Is it safe to access Elasticseach from a client without going through an API server?

For example, suppose you embed the following Javascript code in Vue.js or React.js.
var elasticsearch = require ('elasticsearch');
var esclient = new elasticsearch.Client ({
host: 'Elasticsearch host name of Elascticsearch Cloud's(URL?')
});
esclient.search ({
index: 'your index',
body: {
query: {
match: {message: 'search keyword'}
},
aggs: {
your_states: {
terms: {
field: 'your field',
size: 10
}
}
}
}
}
).then (function (response) {
var hits = response.hits.hits;
}
);
When aiming at a search engine of an application like stackoverflow,
if only GET from the public is OK by using the ROLE setting of the cloud of Elasticseach,
Even though I did not prepare an API server, I thought that the same thing could be realized with the above client side code,
Is it a security problem? (Such as whether it is dangerous for the host name to fall on the client side)
If there is no problem, the search engine response will be faster and the cost of implementation will be reduced,
I wondered why many people would not do it. (Because sample code like this can not be seen on the net much)
Thank you.
It is NOT a good idea.
If any client with a bit of programming knowledge finds our your ElasticSearch IP address, you are screwed, he could basically delete all the data without you even noticing.
I have no understanding about XPack Security, but if you are not using that you are absolutely forced to hide ES behind an API.
Then you also have to secure you ES domain to allow access only from the API server and block the rest of the world.

CSRF Validation Failed in Drupal 7

I've been searching and searching, including the many topics here, for a solution to my problem. I've had no luck thus far.
A bit of a backstory: I'm writing an AngularJS app with Drupal 7 as a backend. I'm able to login without problem, save Session Name and Session ID, and put them together for a Cookie header (I had to use this "hack"). Further, if I made a login call in the Postman app, then tried to update the node, it'd work. It makes me think that there's a problem with session authentication, but I still can't figure it out.
That being said, I'm at a roadblock. Whenever I try to PUT to update a node, I get the following error:
401 (Unauthorized : CSRF validation failed)
Now, my ajax call looks like this:
$http({
method: 'PUT',
url: CONSTANTS.SITE_URL+"/update/node/"+target_nid,
headers:{
'Content-Type': CONSTANTS.CONTENT_TYPE,
'Authentication': CONSTANTS.SESS_NAME +"="+CONSTANTS.SESS_ID,
'X-CSRF-Token' : CONSTANTS.TOKEN
},
data: {
(JSON stuff)
}
})
The CONTENT_TYPE is "application/json", the "Authentication" is the band-aid for the Cookie header problem, and the "X-CSRF-Token" is what is (presumably) giving me the problem. SESS_NAME, SESS_ID, and TOKEN are all gathered from the response at Login. I can pull lists made by users on the website, I can pull the list of all of the nodes of a certain type on the website as well. I only run into a problem when I attempt to PUT to update the node.
If I missed any information, let me know and I'll add it!
EDIT: I'm using AngularJS version 1.5.3.
After trying everything else, I followed one of the comments in the thread I linked at the beginning of my original post. They had to comment out a line in Services.module :
if ($non_safe_method_called && !drupal_valid_token($csrf_token, 'services')) {
//return t('CSRF validation failed');
}
It's around line 590, plus or minus a few depending on how much you've messed with the file. I don't like doing it this way, but I can't for the life of me figure out why the token's not working right. It's a temporary fix, for sure, but if someone runs across this with the same problem in the future it'll hopefully help you out!
Instead of removing the line you could also add a true to drupal_valid_token
if ($non_safe_method_called && !drupal_valid_token($csrf_token, 'services',true)) {
return t('CSRF validation failed');
}

Using backbone with sequelize/postgres

I'm working on creating a model in backbone to interact with my postgres database. I'm using backbone.js for the client side and node.js/sequelize.js for the server side. The code given in the backbone tutorial says this:
var UserModel = Backbone.Model.extend({
urlRoot: '/user',
defaults: {
name: '',
email: ''
}
});
Here they are interacting with a users sql database using a RESTful url (I have no idea what that is). Does anyone have any ideas how I can refer to my postgres table? I am beyond confused and have no idea what's going on (this is all really new to me)
Thanks.
A RESTful URL is just a URL for a webservice that uses RESTful principles. Google can explain that better than I can here, but the basic idea is to integrate the various REST "verbs" (GET, POST, DELETE, etc.) in to the API. For instance, here's a set of RESTful verbs + urls for an imaginary user API:
GET /user - returns a list of users
POST /user - creates a new user
DELETE /user/5 - deletes the user with ID 5
PUT /user/5 - updates/edits the user with ID 5
Backbone works particularly well if your server-side is designed similarly, but it's not a requirement.
If your server-side API isn't RESTful, you just need to override certain methods on your Models and Collections (most likely destroy, fetch, save, url, parse, sync, and toJSON) to do whatever is appropriate for your server.
For instance, you might want to override the url method of your model to make it return your server's (unRESTful) URL:
url: function() {
return 'www.example.com/some/very/not/RESTful/' + this.id + '/URL/example';
}
Or, if your server returns your objects with an "envelope", for instance:
{
type: 'envelope',
payload: {
type: 'user',
name: 'Bob',
id: 5,
}
}
you can modify parse to strip it out:
parse: function(original) {
return original.payload;
}
As for "how do I refer to my postgres table", if you override the appropriate methods, then call the appropriate Backbone action methods (fetch/save/destroy) on your models and collections, Backbone will make AJAX requests to the URL you define in your url override. Your server can then use any language you want to interpret that request and perform the appropriate operation on your PostgreSQL database.

querying specific data from Spotify API

The Spotify web API is not well documented, or at least I couldn't find what i was looking for.
I want to get all the artists that start with an "A" (for example).
If i do this (node.js):
var options = {
host: 'ws.spotify.com',
port: 80,
path: '/search/1/artist.json?q=a',
headers: {
'Content-Type': 'application/json'
}
I get the artists that have an "A" not the ones that start with "A".
This is just a basic example but i'm guessing i'll run into this problem later on as well.
Can this be done or it depends on their API?
Do regular expressions work for something like this?
Regular expressions don't work with this API. The advanced search syntax does, though.

Connection between Playframework and ExtJs

I am doing a project were I am trying to make the backend with playframework and the frontend with Extjs.
I can retrieve the data from the server with Json and show it in a grid with all it's fields.
The problem comes when I try to modify, remove or add any record.
The request sent by Ext: DELETE lista?_dc=1318409614652
(I solved _dc with "noCache: false" over the proxy)
The request right now is: DELETE lista
The request I need is: DELETE lista/"parameter of the object like ID or name"
Do you have any idea about this? If you need any information let me know
Thanks in advance!
I suppose you are not yet using the Rest proxy (of ExtJS) for this, but you should, as it does exactly what you are asking for. You set it up with an url like /lista in your case. Now, when you delete a record, the proxy automatically sends a DELETE request to the url, appending it with the id. Check out the documentation (linked above) for more info - you can control the url generation a little bit, but in your case it looks like you can do with the default options.
even if you don't want to use Rest Proxy, you use still use Ext.Ajax.request like below.
Ext.Ajax.request({
waitMsg: "Saving... Please wait",
url: "myserverscript.php",
method: "POST",
params: {
action: "delete",
id: myForm.down('#id').getValue(),
data: jsonData
}
});

Resources