Similar questions have been asked before, but this a one is a little different. I created a REST API to send an XML document with `POST. I send data from my (Windows) application to the servers, which includes: open time, operating system, version, etc.
I have one problem though. How can I make sure people can't use the REST API? How do I know that the information sent to the server is from an application and not from someone who knows the URL? How do analytic software companies solve this problem?
Thank you.
Update
I would like users to use my application without having to log in. I am pretty sure that companies that create apps that do not force you to log in are able to see whatever you are doing.
Well there are several way to secure your service.
You can always setup authentication & authorization for the service - this way the service will be available only to registered/known users.
Here are links few links for more details:
Best Practices for securing a REST API / web service
http://www.stormpath.com/blog/secure-your-rest-api-right-way
Also there are less sophisticated ways such as setting firewall rules to allow connections only from certain places -- I don't think it is a recommended approach.
Related
There are various tasks that a web back end developer has to do while doing a project while making APIs in specific. For example setting up authorizations for various roles, setting up a push notification server(mobile applications) etc. I just wanted to know a few more.
It depends on what kind of freedom the developer has. If the path structure is not explicitly described in the technical task, then first of all the developer creates the basic structure of the server. Then it determines whether user authorization is required to access the requests. If authorization is required then what type it would be. Ofcourse, creating connection to database.
You need to describe more clearly your question to get more clear answer. It really depends on the purposes and type of server (HTTP server, Media server, e.t.c)
I'm planning to build web application on top of a REST api. I have been thinking about 2 different ways to write web UI layer for controlling the views, user session management, etc.
One way : Just write everything in Javascript using Angular or similar frameworks. But, the problem I see here is, user session management and also it may not be good idea to expose everything to client. I'm thinking anybody with good knowledge of web design, can find out javascript logic and end points.
second way: Write a thin controller and user session management layer on REST in may be Spring web mvc project / Node JS, etc, and control everything from there. But, the problems I see here are, we have to have some end point lookup logic here, to map web ui request to REST end point. Everytime, we we add more end points, we have to maintain that catalog as well. Also, the JSONs will go through many transformations, and which may add some overhead.
can anybody suggest some architecture ideas for this ? Am I missing anything here ? Can we write secure Javascript web ui layer on REST ?
I was also thinking about having Message broker like RabbitMQ to scale it. Any suggestions are appreciated.
Thanks in advance.
You should first decide on how you divide responsibilities between the client and the server. What do you want the server to do, and what do you want the client to do? You already figured out that the server should hide the sensitive information, to keep the application secure. Is there anything else you need from the server? If there is a database, you probably also want to let the server handle all access to the database.
Notice that there are also alternatives such as Firebase, where they take care of the backend for you, and you focus on the front-end mainly. Might save you a lot of work on authentication, and data access.
You also need to think what kind of communication style they will be using? If it is Request-Response, then REST is suitable. If it is some kind of bidirectional messaging such as chat, I recommend to take a look at Meteor. In Meteor, you write in Javascript for front-end, back-end and mobile.
You mentioned that you're concerned with having to transform your Jsons often. If you do your server-side with NodeJS, this problem disappears. It's Javascript on the server-side.
There are many ways to implement an application. You can more specifics about what you're trying to do, and then we may recommend the frameworks that are better for you.
I have a front-end angular app using firebase to store user data.
I currently do not have a backend set up, such as a node.js server.
I would like to use the Google Docs API to upload files from my app.
Since the Great Firewall of China does not (or makes unstable) the use of Google services, is it possible to place those services on the backend server and still use them reliably?
Perhaps after they have uploaded the document to firebase, a backend script retrieves it, uploads it to google docs, and then removes the record from firebase? Just trying to see if Google or similar services are even feasible for this use case.
I suppose the crux of my question is whether or not the calling of the Google API would be taking place on the user's computer, in which case would it become unstable?
** Updates for clarity:
I am deciding whether my firebase-backed app needs a more traditional backend like a node server to do things like: upload images and documents, send mail via Mandrill, etc... It would be helpful to me if I knew whether, after putting in the time to create a server, some of the services I am after (aka APIs) are any more resilient to the GFW than they would be if they ran on the client side. So if any one has had success in such a task, I would like to know.
** Technical update:
So, for example, if I run the Google Maps API on the client side, if the user is in China and is not running a VPN, accessing the API calls will either lag or time out or (rarely) success in returning the scripts. If I was somehow able to able to process the map query "off-site" aka on the server, could I then return with a static image of the map to a Chinese user without fail?
If I was somehow able to able to process the map query "off-site" aka
on the server, could I then return with a static image of the map to a
Chinese user without fail?
Yes, of course. What you are going to miss this way is all the front-end interactive functionality Google Maps offers. But if that's ok in your use case, sure.
I have never tried it with the GCF, but what I would do is this:
Google Maps <-> Your Reverse proxy <-> User
So, instead of the user visitng the real google maps site, it will be visiting your maps.mydomain.com site, that will be sitting in between, proxying everything.
Nginx is an excellent choice for a reverse proxy. If you need more control, there are good node.js reverse proxying packages that you an use to rewrite the content extensively before serving it (perhaps to obfuscate it in case the GCF blacklists content based on pattern matching, or to change the script names/links again to avoid pattern matching).
You are misunderstanding about the great firewall of China. I consulted for a couple of Chinese companies after the dot com crash so I can say this from personal experience, not hearsay.
It is mostly high-end Cisco hardware behind gateways behind their government telecom infrastructure. Nowadays they knock off what hardware they can, every chance they can, and spend money on specialized hardware to monitor cell phones systems.
There was a brief mention of the street-level surveillance hardware on 20/20 before the crash if you are interested in looking it up.
Not to discourage you, but I say set up whatever open servers you want with whatever frontends or backends you want, but the reality is the traffic is not going to be there.
That is why they call it an oppressive regime, they do not get to decide for themselves, remember?
Iam developing angular js web application .I want to store the login credentials when the user checks on remember me option.can any one please suggest me which is the better way to store the details of user (local storage or cookies or etc).And I want to maintain the session throughout the application ..please give your suggestions.
Thanks in advance
There are already plenty of solutions for that kind of stuff. As this is a serious security issue, I would recommend to use one of those instead of "reinventing the wheel".
Whether the system is using cookies or localstorage doesn't really matter at the end of the day. It is however a bad idea in general to store the actual credentials. Instead, use a token-based system that will do a server-client handshake on request.
Personally, I am working with Firebase and Express at the moment.
Firebase
Firebase is "backend as a service". They offer a free plan for production usage, have a look at it. If you like it, things are pretty easy here. You pay money and get a full-featured REST-like "backend" with built-in user management (See Firebase doc's for SimpleLogin). All you have to do is calling service methods.
Express
This is the DIY way. If you want to have full-control and a free way of doing things, this is the way to go. I am no Express master, so you better have a look at some Tutorials (http://expressjs-book.com/forums/topic/express-js-sessions-a-detailed-tutorial/)
If you don't like neither Firebase nor Express, have a look at other Backend-as-a-service offers. You could even use PHP. I would assume that one could say that this is the oldschool way of implementing user sessions :)
I've created a angularjs app which uses php for handling the database queries and enforcing an authentication schema.
When the user logs in into the app, he does so in php and php fetches the user data into a session. Then angularjs issues a http post request to a php page to read the fetched data.
After that, whenever a user asks for data, angular issues a post to a php page.
I'm considering using a framework for doing the authentication and the database queries in a better way. My security knowledge is primitive and I fear that I have mistakes in my code.
After doing a research I found laravel which seems straightforward and easy.
Now my questions are:
Can a php framework such as laravel do these things for me?
Is there something else I could use to have people authenticate and making sure that they are doing the CRUD operations they are authorized to do?
What are the keywords I'm searching about, is it routing, is it php restful? I'm asking in order to do further research on the matter.
Is there any other way in which a SPA could work with CRUD operations and Authenticating in a "safe" manner using php?
I know that the above questions are not programming questions per se, but I don't know where to ask (because I feel I cannot communicate what I want to learn about/ *that's why the keywords question above).
Thank you
There's basically two kinds of relevant "routing" both based on URLs, either client side or server side. AngularJS has the $routeProvider which you can configure so when the location changes (handled by $location) the client side template and controller being used also change. On the server side you may have redirects or "routes" that map a URL to a particular PHP file (or Java method) where at the destination it parses the incoming URL to get extra information/parameters.
I know nothing about laravel, but googling laravel and authentication came back with this which looks promising:
http://bundles.laravel.com/category/authentication
I also know things like Zend framework provide many similar options for plugging in some authentication code.
Ultimately if you're writing the CRUD operations something in your code is going to have to do deal with the role based execution of code or access to data.
RESTful is it's own thing. At a very basic level a RESTful interface uses HTTP "verbs/vocuabulary" like PUT, POST, DELETE, GET (part of the request headers which is just data that comes before any body data in the request) are given special meaning like update an entry etc. It's mostly orthogonal to the issue of authentication though if you do true REST I'm not sure if using the SESSION for maintaining authentication would be allowed since it's not completely stateless in that case (anyhow just an academic argument). Point being you can use the other ideas of REST or use some implementation that is "RESTful" and it can be written in any language or you can choose not to do this, either way you still have the issue of controlling resources (functions/methods/data) that you want to control and this issue is not the same as choosing RESTful or not RESTful (if you wanted to keep true to REST for reasons of scalability across a cluster of servers etc. you could follow guidance here How do I authenticate user in REST web service?). Also to note here the $resource in AngularJS provides an abstraction above $http specifically for handling restful services.
IMHO you should be searching for two things
1 php security/authentication
2 php hacking/hacks/vulnerabilities
You can simply write your own authentication mechanism using a session to keep track of the signed in user. http://php.net/manual/en/features.sessions.php There is no difference in a SPA vs a traditional web app as far as the server is concerned, these are simply differences in the client side code.
Any security you intend on putting in place is really only as good as your understanding of that security. I wouldn't trust someone else's plugin from the internet to handle authentication for me unless time was an extremely critical factor and security not so much. One thing that you hadn't mentioned but I think is worth looking into and necessary for any of this to really be secure is SSL. If you don't have your data encrypted there is always a possibility of a man in the middle attack (someone getting the plaintext username and password as their submitted to the database) or session hijacking (someone getting the sessionid of an active session then using that to act as the original user). Basically I would suggest you keep doing research regarding best practices and personally look over any code you plan to use to be sure you understand how it's working and what kind of security it provides you with.
I also wanted to mention, though it's a bit off topic languages wise, that Java Spring has some really nice stuff for dealing with authentication and handling access to services and data. If security is a major concern I would probably strongly consider running a Java server (not to say Java has never had it's issues or that it's automatically more secure but there's a lot of production code that has withstood the test of time). There's the free Tomcat J2EE Server or IBM WebSphere if you need to massively distribute an application. If interested search for Java, Spring, Hibernate (ORM), MyBatis, Data Access Objects. Those are all the parts (some optional) I can think of you would need to put together a service layer in Java. Good intro in the video on the left of this page:
http://static.springsource.org/spring-security/site/index.html
Also SSL isn't a silver bullet, but every layer of security helps.
Kevin Mitnick said in one of his books that lots of places have "hard-shell candy security" (paraphrasing) where breaking the outer layer means you get to all the mushy goodness inside. Any direct answer I would bank will result in this type of security.
Depending on the scope of the project it might be necessary to have security professionals do penetration testing on the system to determine if there are vulnerabilities so they can be plugged.