Currently making an web application for our users to access and edit a database
We only have one connection to this database and can't make more, but we also can't give this one credential to any of our web app future users.
The idea is to create another security layer in the application using windows accounts
Pseudo code :
db = "dbconnection1"
dbuser = "admin1"
dbpassword = "123456"
enabledWinUsers = { "winUsr1", "winUsr2", "winUsr3" }
winusr = aplication.getWinUser()
if winusr in enabledWinUsers :
db.connect( db, dbuser, dbpassword )
The database logic and connection will all be done in Python, for now, and the app in Javascript/Jquery
Question is, is it possible to secure this code or the db credentials in any way without setting up a service like Node.js?
I do have full access to the server machine running the web app
Well you can encrypt the user credentials in your source code and decrypt them from your source code. Another option is to set the credentials as environment variables
Related
I'm trying to test out if PHP works from my Firebase hosting using the following:
(index.html)
<form action="welcome.php" method="post">
<input type="submit">
</form>
(welcome.php)
<?php
$to = "my#email.com";
$subject = "My subject";
$txt = "Hello world!";
$headers = "From: dummy#email.com";
mail($to,$subject,$txt,$headers);
?>
Every time I try this the browser keeps on attempting to open the PHP file rather than processing it. Is simple PHP enabled on the Firebase server hosting to process a simple form like this? If I can get it to work this way, I will be building the form out correctly including validation etc.
Thanks,
From the Firebase Hosting site (emphasis mine):
We deliver all of your static content (html, js, images, etc.) over a secure SSL connection and serve it on a CDN.
Firebase Hosting is for hosting static assets. Firebase currently doesn't offer any way to execute your code on Firebase's servers.
Update (2018-08-08): You can now run Node.js/JavaScript code but connecting your Firebase Hosting project to Cloud Functions + Firebase Hosting. But that still won't allow you to run PHP code.
As per the latest update firebase has started using Cloud Functions
Cloud Functions for Firebase lets you run mobile backend code that automatically responds to events triggered by Firebase features and HTTPS requests. Your code is stored in Google’s cloud and runs in a managed environment. There's no need to manage and scale your own servers.
For more : https://firebase.google.com/docs/functions/
There is no PHP but nodeJS available for server-side scripting ...
Google Cloud Functions are written in JavaScript, and execute in
a Node.js runtime.
Mandrill also supports nodeJS and it features a Webhooks API.
Therefore, one can require that node module within these "cloud functions" and "web hooks" ...and then post with a HTML form onto them.
There would need to be a few HTTP cloud functions defined on the Firebase Console, in order to let them subscribe, unsubscribe and manage their subscriptions. One could even generate the HTML markup for the input form with cloud functions and then attach it. As an example, not tested and no guarantee included:
const functions = require('firebase-functions');
const mandrill = require('mandrill-api/mandrill');
var client = new mandrill.Mandrill('YOUR_API_KEY');
/* TODO: add the user on Firebase, respond through the API */
exports.user_add = functions.https.onRequest((req, res) => {
});
/* TODO: change subscription settings on Firebase, respond through the API */
exports.user_edit = functions.https.onRequest((req, res) => {
});
/* TODO: remove the user on Firebase, respond through the API */
exports.user_remove = functions.https.onRequest((req, res) => {
});
/* optional: generate the HTML markup of the form, send HTTP response */
exports.markup = functions.https.onRequest((req, res) => {
});
One can bind the events of Firebase Auth, to keep two user databases in in-sync (this is not required for Mandrill, but required for MailChimp - no matter whether using the PHP or nodeJS wrapper):
exports.on_user_create = functions.auth.user().onCreate(event => {
const user = event.data;
});
exports.on_user_delete = functions.auth.user().onDelete(event => {
const user = event.data;
});
Firebase on Websites explains it, while there is a Local Emulator for Cloud Functions.
You can play around with any of these: Angular, Ember, Knockout, React,
Node JS. The same thing you PHP code does you can make happen with pretty much any Javascript technologies - just no dynamic language. Also another way to do it is to used an online form providers like Jot Forms or others. You can create and style the form withing you online form account then simply add it to you site. Then when user post it will post to the form. As a result you have a centralized environment not only for you current site but for any others down the road. You can create a web service and post values there - then do whatever you want with them: save them to the database... Otherwords have another server that handles all those things so you can just call it from Firebase hosted sites. Hope that helps
PS: I am currently building a product that is a simplified version of Online Forms to be used on Firebase websites. I am planning to have a few people using for now so if you would like you can email me and I will create an account for you to use it. As long as there is no abuse like sending a bunch of emails - you will be fine!
I would like to use Firebase Custom Authentication in my Angular app. This action is realy simple:
var FirebaseTokenGenerator = require("firebase-token-generator");
var tokenGenerator = new FirebaseTokenGenerator("<YOUR_FIREBASE_SECRET>");
var token = tokenGenerator.createToken({ uid: "uniqueId1", some: "arbitrary", data: "here" });
But there is a warning about security of Firebase Secret in the doc page:
Firebase JWTs should always be generated on a trusted server so that
the Firebase app secret which is needed to generate them can be kept
private.
I am wondering how can I keep my Firebase Secret private if everyone can view my JavaScript source code and read the Firebase Secret there? Am I missing something or there is no possibility to do this in JavaScript?
The code you quote is to be run on the your nodejs server (hence - server-side javascript).
The server component FirebaseTokenGenerator takes care for generating the token and sending it back to the JS client, after the client has authenticated to your server, with whatever method you want. That's why it's named custom authentication.
I see that a lot of people are using this module for using Node along with a mysql database: node-mysql
In everything I read people are storing their passwording and usernames in plain text in the js file. Javascript files can be read pretty easily, so isn't this a terrible thing?
Here is the connection code in the docs:
var connection = mysql.createConnection({
host : 'localhost',
user : 'me',
password : 'secret'
});
Am I missing a piece of the puzzle that disallows people from viewing your JS file on the server in plain text, password fully available?
It is not possible to store your password in a mysql connection with an encrytion. But you never should enter your password in a file which is send to the PC of a visitor. All files which contains login credentials or something like have to been saved on the server.
If you want to show some mysql contents to a visitor you can realise this with a small api which has to be programmed in js/php.
But if understand it right, you only want to run this javascript in a commandline with nodejs. Then you have no other solution as to store it without encryption and don't give the access to this server to someone else.
I'll typically have the app prompt you for the mysql password upon startup. This keeps the password out of a file on the server. You could also pass this as an argument to the script or set an environment variable.
Keeps the password off the filesystem but doesn't allow you to have the app autostart... it's a tradeoff
I am planning to run an app in GAE that initializes the Facebook login sequence in Javascript and passes the access token to a Python script to do server-side work. The javascript looks something like this
// Additional init code here
FB.login(
function(response) {
if (response.authResponse) {
var access_token = FB.getAuthResponse()['accessToken'];
console.log('Access Token = '+ access_token);
What would be the easiest way to pass access_token to a Python class (say named fbProcessor) that is imported in main.py?
Since the javascript is executed on the front end (client's browser) you can't really "pass" the access_token to python. You COULD make a http (AJAX) request from javascript to your python app with the access_token.
I think that if you are making a request to python you could just use facebook's python SDK to retrieve the information (including access token) for the current FB authenticated user... IDK the benefits of either way
the python facebook SDK has google app engine example's
If you are using the module within a web application with the
JavaScript SDK, you can also use the module to use Facebook for login,
parsing the cookie set by the JavaScript SDK for logged in users. For
example, in Google AppEngine, you could get the profile of the logged
in user with:
user = facebook.get_user_from_cookie(self.request.cookies, key, secret)
if user:
graph = facebook.GraphAPI(user["access_token"])
profile = graph.get_object("me")
friends = graph.get_connections("me", "friends")
You can see a full AppEngine example application in
examples/appengine.
I've created a project in Node.js, users are able to create a 'room'. Users login via a html form which submits their details as a HTTP request. The server then adds a token to their session 'req.session.auth = true'. I want to broadcast socket messages to users where their .auth token is true.
Question:
how can I access session information outside of a HTTP request? whilst using (if correct):
var MemoryStore = require('connect').session.MemoryStore,
sessionStore = new MemoryStore();
e.g.
socket.on('message', function(data){
//Access user session here.
});
There are a lot of things to be said here, but they are all explained better in the following post:
http://www.danielbaulig.de/socket-ioexpress/