I am integrating laravel and backbone. I have routes like
Route::resource('tasks', 'TaskController'); and backbone model uses this route for get, post and put requests. and this route simply displays raw data. I want to hide/secure this link/url so that users can't see raw data.How can I achieve this??
Short answer : you can't.
If your Backbone application can access to something, a user can access to. For your server, backbone requests are exactly like a user requests. In fact, the browser make this requests for both.
You could put a password in your Backbone code to protect the access... but it's useless because the Backbone code is public (it is client side).
The only thing you can do is to put restrictions on what Backbone (or a user) can see. For example, authenticate the user and verify that he is allowed to access data before to send it.
If your Backbone app can access data there is no reason to hide them to your users. It's like if you want to hide the raw html code in a web site, that's senseless !
Related
I'm building a bit web app where user can save his websites.
My problem is that Auth::check() returns false even if me as user I'm logged in when I try to get data throw API.
I use one WebsiteController and I put the route to this controller inside api.php route folder.
I can access http://localhost:8000/website but not http://localhost:8000/api/website.
I'm biginner, please any one can help me ?
Register API routes in the routes/api.php file. In Laravel, API
routes and web routes are registered in separate files to avoid
mixing them all up.
After authentication, store the token in local storage and send
those access token details in each request header.
Ref Sample here : https://medium.com/#Gbxnga/token-based-authentication-with-react-and-laravel-restful-api-83f16581e85
Assumption / understanding **: As per the Given brief information, you are tryign to create a CRUD application in react and it calls Laravel API to manage those websites ?
**Note: On what you are tryign to accomplish with /api/someroute (is my assumption / understandig is correct?) and where you are calling it in react. Those code snippets you should share and what is expected - when that service call is happneing. Example Return a json and prepoulate list of added websites in home page etc . And instead of happening that, it redirects user to /someroute ? .
To avoid xss attack, MVC generating some antiforgery token.
But in our project we have Angularjs with web api.
My need is
Do we need antiforgery token to prevent xss attack in Angularjs project with web api?
If we need, how to implement?
The antiforgery token is against cross-site request forgery (CSRF). In very short and somewhat simplified, an attacker may be able to set up his own website, trick your user into visiting that website, and then create a webpage for the user that will make the user's browser post a valid request to your application, something your user did not want to do. The standard protection against this is generating a random token in your application that the attacker won't know and won't be able to send. OWASP has a nice description of CSRF and also a protection cheat sheet. This problem only comes up if authentication info (the session id or access token) is sent automatically by the browser with requests, ie. when it is in a cookie. Otherwise the attack is not possible.
This has nothing to do with cross-site scripting (xss). An attacker may want to inject Javascript into your page when viewed by other users so that he can access data displayed to or stored on the client by victim users. To solve this, you need to encode all output according to its context, or in Angular (and Javascript in general) you need to make sure that you only use bindings that may not create a script node in the page dom but only bind as text. OWASP has a cheat sheet for XSS too.
In case of Angular talking to Web API, you need to take care of CSRF in the Web API code if (and only if) you use cookie-based authentication / sessions. If the access token is stored anywhere else and you have to insert it into each request in code (like for example the token is stored in a Javascript object and added to each request as a request header by jQuery), it's fine and you don't need further protection against CSRF.
If the Web API serves JSON content, it's fine to have unencoded data in JSON responses (obviously this means you should encode data for JSON itself, but standard serializers do that for you, and you don't need to care about presentation at that level). When such data is received in Angular, you need to make sure that you only use safe bindings to actually bind that data to the UI so that Javascript cannot be inserted. Angular is reasonably good at that, but code can still be vulnerable. Also DOM XSS (a form of XSS) is a very common vulnerability in Javascript-heavy applications.
How exactly to implement these is way beyond the scope of an answer here unfortunately. It all depends on the details.
I have 4 angular applications one is a landing app which asks user to login and has to redirect the user according to its type
to one of the other 3 applications. I am unable to figure how to should i achieve that.
Have the three apps running on different subdomains. Upon login backend send a redirect response, figuring out what type of user it is?
But this leads to cors Error. Also i am not sure whether the cookie which i am setting will be accessible in all the subdomains or not.
Is there a way out?
You can do a redirect, but it seems like an unnecessary step (and kind of convoluted for this type of application).
Instead of returning a redirect based on login, it seems more straightforward to just return the address you want to redirect to in the response. Trigger a lookup to determine which app you should be directing to (however you're doing that) and then return the address of the app in the response data. From within Angular, you can extract the address from within response.data in $http. (see angular docs). The nice thing here is you also keep routing control and knowledge of state within Angular itself.
As for the apps themselves--instead of a subdomain, you can simply put the apps into different folders on your domain. This deals with CORS and the cookie issue.
Otherwise, you'd need to set a CORS header. You would do this on whatever backend you're sending the requests to--there's usually some sort of library to make it easy, for example, Flask CORS for Flask. If you need to share cookies in this case, this StackOverflow answer discusses one way of doing it (using an intermediary domain).
Generate a security key for the user session with some TTL in an authentication table when you authenticate the user with your App1
Redirect the user to any other app in any domain with this security key where they can query the authentication table and verify the user.
Let these other applications work on their own (in the front end) and communicate with the back-end with the security key when necessary.
Lot of PHP frameworks has built-in support for this mechanism. My favorite is Silex.
I have web application that uses Yii2 as API and Angular for frontend stuff. I am wondering, what would be best way to pass user permissions from Yii2 to Angular so i can show / hide data per user permissions.
My first idea was to make a api call for that data before angular starts and than use that data inside angular.
I see this as a problem if user permissions change while user is working. Users data would refresh only when he refreshes whole page which is not so often in Angular.
My second idea was to push permission data to user with every API request, but i dont know how to do it.
Any ideas?
I have certain knowledge using Bakcbone.js, and my backend is Restlet Java, but have no idea regarding user authentication
I have built a single-page web app using them, but now the problem arises that, what I am going to do after user login? There are pages that can be viewed by both logged in and not logged in user, and logged in users should be able to see additional content.
By default the page uses http, but after user Login, suppose an Ajax Post, how do I switch entire Backbone App from http to https? And suppose user logs out, how do I switch back?
Are there any convient ways just to switch all my routes in Router, Url/Urlroots in Collection/Model between Http and Https? (using relative address)
Can I deal with this using Server Redirect..and how can I do that, doesn't that make Http and Https sections completely separated like two apps?
woha - that's a lot stuff you are thinking ..half of which doesn't even belong to Backbone's scope.
Let's split this up:
but have no idea regarding user authentication
read this. I just answered this yesterday.
what I am going to do after user login?
the normal pattern here is that login is usually one page. If the user successfully logs in then she is redirected to another page which has all the Backbone stuff in it e.g. take a look at a backbone app classdojo.com . Login is simple HTML with no fancy stuff. Once user logs in, she navigates to a single-page app with all heavy client side.
Are there any convient ways just to switch all my routes in Router, Url/Urlroots in Collection/Model between Http and Https? (using relative address)
Backbone Router ONLY looks at the route which comes '#' e.g. in example.com/user#details Backbone router will only navigate based on #details . It has nothing to do with your http protocol.
Your Url/Urlroots can be relative or absolute both. So you can specify full URL with http protocol in them.