I am creating a web application using GAE/GWT. Front end GUI is a web client and the server is a RESTFUL server both running in GAE in different domains.
I am using json with padding to communicate with the server but discovered I won't be able to send a PUT/POST/DELETE request.
My application will be used to mainly used to query data (query: 85% of cases, modify data: 15%). All requests will be authenticated.
I am considering the following options.
1) For querying use JsonpRequestBuilder, for modifying create a proxy in the web client server side and hit the REST service through this proxy. Use GWT RPC to communicate to this proxy.
2) Make every request as a GET request in my REST service (including those that modify data) and use jsonp directly from web client.
I would prefer option 1) but option 2) seems less work to do.
Should 1) be my preferred option ?
Are there any problems with 2) given all my requests will be authenticated. ?
Is there any other easy approach to solve this problem ?
Regards,
Sathya
The simplest solution is to use CORS which allows you to send requests two different origins. But it is not so widely spread (check caniuse), so if you have to support IE8-9, it will not be enough for you.
In your case I would try to implement dual solution (e.g. CORS + server proxy). If browser supports CORS - send the request directly to the target server, if it doesn't - send request via proxy.
Sorry to ask but what is the advantage to have your client running on a different domain ? From what I understand your client's server will do nothing ...
If you are not the "owner" of the REST backend, maybe this backend should developp an authorization system for third party applications, like oauth2.
Then your application can talk backend to backend with a secured connection. You can use scribe to do that on your backend.
Related
I am currently building a web + mobile application.
My front end is developed using React and Axios (for API call requests). It is served directly by vercel on mydomain.com
My Mobile App is developed using the Flutter
My back end is developed using Django and Django Rest. It is served with apache2 on api.mydomain.com. It only serves API endpoints.
So the front-end, Mobile app, and back-end are separated.
I would like only my front-end (mydomain.com) and flutter app to be able to make API requests to my Django Rest backend.
I would like to prevent any other domains, any clients such as postman, insomnia, curl, or any script to make API requests to my backend.
I have already set CORS in Django Rest. However, I can still make requests to the backend using curl or any other client.
Do you have any idea of what I could do to achieve this?
Thanks a lot in advance for your answers.
CORS is enforced only by web browsers to prevent leaking information to unrelated pages that might request it. You need some kind of access control, either by authenticating the caller or limiting access to the endpoint.
Checking the Host header with get_host() may offer sufficient protection, depending on your server setup.
get_host() will tell you the value of the Host header in the request, which is data provided by the client so could be manipulated in any way. The Host header is an integral part of HTTP 1.1 in allowing multiple domains to be hosted at a single address so you might be able to depend on your server rejecting requests that aren't actually arriving from localhost with a matching header, but it's difficult to be certain.
It would likely be more reliable to check the client's network address and reject requests from all clients except those that are specifically allowed.
Check this question too.
The following is the architecture of my Web application.
Web UI(Angular JS) running on nginx
Back-end data access layer (Java App) running on glassfish app server
My question is, how can I prevent a valid user from tampering or manipulating the REST service JSON request using some proxy tool.
One thing that I thought of was to encrypt the JSON but this will still expose the public key and the source code of how to encrypt it since its done on client side scripting. Is there a better way of doing secured JSON request?
P.S: I'm not talking about "Man in the middle Attack". This is not related to session hijacking. This is about a valid session user tampering the POST request using tampering tools.
You can't.
Anything that runs on client-side is exposed. Almost everything there can be tampered.
So your best bet is that you have a strong server-side validation before you process the data from the client.
I have an angular app on a node js server. On another machine, I have an API server. My dilemma is how to communicate with the API server. The first approach is to send all my AJAX calls directly to the API server. The downside of this approach that the client will see how I send the requests to the API, including the secret key I send in the headers. This means I will have to work harder to secure my API. The other approach is to send my requests to my node js server, and then forward them to the API server. The downside of this approach, however, is increased latency, since it will require two serial HTTP requests. I would love to hear from you what you think is the best way to handle this.
Thanks.
First approach, and you "have to work harder to secure your API". I recommend JWT autthorization.
The most popular and reliable solution for this widely followed architecture style (Front End App to Backend API Server) is OAuth.
OAuth is very easy to setup and use with Angular Js.
As far as AJAX calls are concerned, if your application entails this behavior make sure your API is enable with CORS capability.
Here is my scenario:
I am going to build a AngularJS webapp which requires to interact with multiple cross-domain server. There are two approaches:
Make all the requests from client side - From my understanding AngularJS enable us to build a rich client and make REST call to server to obtain data. However for this approach I have to handle CORS issue.
Moving those call to server side (Node.js) - Node.js makes all the calls to cross-domain server. It exposes REST API for AngularJS to request Node.js to make those calls.
Which approach is suitable for my scenario? Are there any criteria that can guide me to use which approach?
Those cross-domain resources are not maintained by me. I have no way to control their ways to provide resources. Also at least one of the resources does not support CORS. At this moment I config a proxy to handle those call.
When it comes to interacting with cross domain, you options are using either CORS or JSONP if supported by target server.
In case not the only viable option is to proxy the request through your own server.
You can make everything proxy through your server but that would require effort and time to implement.
I don't see any harm in doing the normal CORS or JSONP way for server that support it and use the proxy approach when the underlying infrastructure does not support it.
Google App Engine currently limits you to 2,000 emails per day (for free) via their API.
I am trying to find a definitive answer if it is possible to use a third-party system if you need to send more. I know that they disallow raw sockets, so I would assume that there might be trouble with this approach... but surely I'm not the first to see it.
Worst case, I can build a simple offsite web service that my GAE can call... but I'd much rather just be able to send directly through an SMTP server.
Thanks!
Nope.
You're correct: you cannot make raw socket requests, nor any other direct outbound requests except through the urlfetch API. To talk to an external SMTP server, you would need to use a webservice as a proxy.
We use the Postmark mail outsourcing service via the hutools.postmark API. Since the communication is HTTP based, it works like a charm on Google AppEngine. This might be an option for you, although it is also a for-pay service. We use it to get arround GAEs sender restrictions.
I've successfully used third party providers for email services with Google App Engine. I've used both SendGrid and MailGun using their HTTP-API.