I have a phonegap app that uses jquery to post to a remote server, running on Google App Engine.
What's the best way to ensure that only my phonegap app can post to this remote server? I've been scouring the web for an answer but can't find anything concrete.
Normally I believe you'd check the referrer to ensure that the request is coming from a whitelisted domain but in this scenario there is no domain because it's a phonegap app.
This question is similar but it's gone unanswered:
Security issues with phonegap remote server access
You can't. Any request that your app can make - including whatever authentication credentials you care to embed in the app - can be generated by a third-party. The most you can do is obfuscate, by embedding secrets in your app, but a clever user can extract these.
A better option would be to authenticate the user, rather than the application.
Related
I am writing a web application using Google App Engine, and to promote it (and give more information about it), I will also have a web site. For ease of deployments, it makes sense to have the web site separate from the application itself. I would like to be able to make changes to the web site independent of the application. I would think that making a change to the web site would NOT mean a re-deployment of the application.
I would like to have a domain, and for the purpose of this question, let's call it www.example.com.
App Engine allows for multi-tenancy, and it makes sense to use sub-domains. For this question, let's assume www.org1.example.com / www.org2.example.com, etc.
Given this scenario, how is this done in the enterprise world on GAE? Do companies:
have the web site and application all as one?
use their hosting provider to redirect sub-domain requests to their application?
have completely separate domains for the web site and application?
something else?
Thanks in advance,
If you want to be able to independently deploy the web app and the web site they need to be at least in separate GAE services/modules, which offer complete code isolation.
Yes, it's not a problem to have the separate services mapped under different subdomains of the same domain. I'm not very sure if it'd work with the sub-domain split you proposed and with wildcard SSL certificates. From App Engine support for SSL certificates:
Wildcard certificates only support one level of subdomain.
So I didn't even try such subdomains. But I am using a wildcard certificate like *.example.com with subdomains like these, each mapped to a different service:
www-org1.example.com
www-org2.example.com
I'm also using a dispatch.yaml file to route each domain to the respective service.
Now about the multi-tenancy, I'm unsure if it's what you actually need, because it's offering just data isolation, not code isolation. You still need to address code isolation if you want to deploy them independently. From About multitenancy:
Multitenancy is the name given to a software architecture in which one instance of an application, running on a remote server, serves
many client organizations (also known as tenants).
I am trying to figure out whether to use Google App Engine or other available PaaS. During my research, I am trying to figure out if a particular website using google app engine or not - Is there any known method to figure this out ?
Sorry for the basic question, but appreciate any help. Thanks.
You can recognize a GAE-based site based on the server's domain:
*.appspot.com - default domain of standard GAE apps
*.appspot-preview.com - default domain of newer flex GAE apps
custom domains mapped to ghs.google.com or ghs.googlehosted.com. See step 5 in the Adding a custom domain for your application procedure and how does ghs.google.com work?. Note that I'm unsure if this doesn't also apply to other Google products, not only to GAE.
There may be other such domains as well.
You can also check the Server header in the responses coming from the site. From Headers added or replaced:
Server
Set to Google Frontend. The development server sets this to
Development/x, where x is the version number.
ping the domain and if you have something with ghs.googlehosted.com:
PING ghs.googlehosted.com (216.58.213.147): 56 data bytes
It's a GAE application. You can also check the headers in requests from your browser's dev tools.
I'm building a REST APIs in Symfony2. The idea is to use these apis from a angular web app and a mobile app. Authentication is required to use the APIs.
I thought in the following possibilites:
Separate Symfony and angular in diferent projects:
The URLs under /api would use OAuth2 to authenticate user (FOSOAuthServerBundle). Both web and mobile app would need to use an access token.
Include angular inside Symfony: In the web app the users are authenticated using a symfony form, and therefore no need to protect the urls under /api with OAuth2. But how would authenticate users from the mobile app?
Please, any help is good!
In short, what I need is that the APIs can be used from two clients: web app and mobile app
Thanks!
I'm currently studying and suffering from the same problem and so far the best option I've seen is to keep the projects separate. If you include angularJS in your Symphony project, you will end up using resources that Symphony provides that you won't be able to replicate in the mobile structure. By detaching the server with the client completely, your Web App built only with Angular will be more similar to your mobile app, mimicking the stand-alone application mode.
Personally, I chose JWT Auth since it doesn't require 12 tables in your database, but using OAuth2 would have similar result.
Is always better to choose some solution that is already tested for many people and is used by them. So, I think is better you to use the OAuth technique, so you can consume your api from mobile, web and every other technology.
If you will join the API and WEBApp is up to you. because REST use no session and every call is a new call that you need to check and block or respond. I have an app that has an Codeigniter API and an AngularJS APP in the same project, but thoose does not share any exclusive thing as sessions.
I built e-commerce with FOSRestBundle, HWIOOauthBundle and FOSUserBundle
From server side, generate accesstoken and authenticate via api/login/ api/login_check/
write your security.yml routing access
From client side, call your api. It should render 200 or 403 HTTP_Code.
How do I ensure that only a specific Google App Engine project can communicate with another web endpoint located in an other GAE Project.
I want to lock communication between App Engine Projects.
What would be the best way to accomplish this ?
The best way would be to make use of the request header X-Appengine-Inbound-Appid within your App Engine web endpoint application to assert the identity of your specific App Engine app that should be allowed to communicate. This header is added to the request by the URLFetch service and is not user modifiable.
Detail documentation can be found at https://cloud.google.com/appengine/docs/python/appidentity/#Python_Asserting_identity_to_other_App_Engine_apps
Not tested, but I thought application itself is admin, so how about like this?
Add login: admin to all handlers in app.yaml
Go to Google Developer Console, project -> Permissions, then Add project account which you want to communicate with into service accounts.
I hope it works.
I'm trying to develop a Windows Phone 8 app. I've created a Web Site in a Windows Azure account which is an MVC 4 project with REST endpoints. I've got an SQL database in Azure to store data from the Azure Web Site. Ocassionaly, I want my application to send PUSH notifications to mobile phones. So I've created a Mobile Service and I've linked the SQL database with the Mobile Service's database in order to have got the same data for the web page and the service.
I though that when I send an HTTP POST to the web site, the script in the database from the Azure Mobile Service would be launched but it looks not to be true. Isn't it? Because of that, I would write in the controller of an HTTP POST endpoint the code to send the data to the Mobile Service endpoint in order to launch the JavaScript code to send the Push Notification.
Is that the right approach for my goal? Is there any way for sending PUSH notifications from an Azure Web Site or it is only allowed from a Mobile Service?
My last question: Do you know any books or blogs about development in Windows Azure? On the Internet there is lots of documentation but principally those are get started tutorials. I've read some books but those are really complex, boring, and not really practical.
As your website MVC4 based and is running on Windows Azure using SQL Database as backend, I will guess that it is based on ASP.NET and i will write my suggestion based on that.
Now about your question "Is there any way for sending PUSH notifications from a Azure Web Site or it is only allowed from a Mobile Service?" I would say, Azure Mobile web services are designed for the same purpose for any service running on Windows Azure to send push notification on multiple of platforms. Application developer can choose to use Mobile Services to expedite their development as well as have multiple application using the one single service for such objective.
However as you mentioned "Is there any way for sending PUSH notifications from a Azure Web Site" this is not depend on "Azure web sites" instead it is depend on what development technology you are using with your Windows Azure Application. For example in ASP.NET your can use SignalR implementation if your application is based on Java, PHP, Python, Node,js etc then you can find some other run time specific real time implementation. If you look around for websockets you will find implementation in almost every popular language or look for comet programming on this regard. Not only that you can use some of the popular 3rd party applications for this purpose as well. i.e. pusher or any other.
While Windows Azure Mobile Services will give you the best results on Windows Azure platform as it is designed to provide such specific functionality for applications running on it.
Recently released: Azure Notification Hub
http://msdn.microsoft.com/en-us/library/windowsazure/jj927170.aspx