How to secure Node.js connect-rest REST API with OAuth? - javascript

I tried Googling around for some examples, or well anything, but couldn't find any results. I think partially because the name of the package "connect-rest" is so generic.
Anyway, here is what i'm looking to do. I am using the Node module "connect-rest" to build a server side API. It is mostly finished at this point, and i'm now looking to secure it. Now the module itself has a system of authentication with API Keys, which is well and fine, but not very secure for Javascript clients, since anyone could just browse the source and grab the key. And trying to secure a key -- well it just doesn't work without getting super complicated.
So instead i'd rather use a standard OAuth setup. I was hoping to use Passport in combination with connect-rest and wondering if anyone has done this before or point me to some examples?

I found exactly what I needed with OAuthorize: https://github.com/jaredhanson/oauthorize which is written by the same guy as Passport.

We used the following guide for our own learning when we started a similar process: http://scotch.io/tutorials/javascript/easy-node-authentication-setup-and-local
Also take a look at MeanJS. It has a built in authentication/user system.

Related

meanJS with Java backend

Me and couple of my friends want to do a web application and eventually we want to write in 3 different OS for phone applications, I am insisting to use meanJS for the front-end but since it is a full stack framework I am not sure if we can use Java for some background features:
1) How efficient and safe it can be? Specifically; if we use meanJS with Java, we will choose to use MongoDB to save some profile information(front-end) and save some information that our Java feature needs - how safe is the connection of the back-end Java feature to MongoDB? Please explain with specifics.
2) Is Node.js a good way to make this web application? or Should we just use angularJS for front-end and Java for backgend with SQL/MongoDB and save all the information(includign profile information) in the backend part and make the communication between angularJS and Java through Tomcat server? Please explain with specifics too.
If you want to use Angular and MongoDB in your application, that is fine, but its not a MEAN stack if you're missing Node+Express.
1) Can't comment on this, never used either.
2) It's hard to say if Node is good for your application without knowing what your application is. It may be the best choice, it may be the worst. In the end, if you're not sure, go with what you're most comfortable with. The stack you explained is definitely possible, and if you feel like you can pull it off, then go for it.

Confusion regarding implementation of token based authentication [Node js Express js]

After all the research on authentication methods related to nodejs and express js, I am standing in no man's land.
By far the easiest session related tutorial I have come across is this.
https://codeforgeek.com/2014/09/manage-session-using-node-js-express-4/
I am using mean stack and this is what I really want to do. The user when logins will get an authentication token that will be saved on the client side and then before every page reload a call will be made to the server to check if the user is authenticated or not.
Here comes the tricky part.
I am using the server to work for Computer - that is angular based system and cellphone which is based on android - an android application.
In short that means a user may login using his computer and cellphone as well (using the application) at the same time.
How to implement this is still a mystery for me. Please direct me to some tutorials or gits which will explain this things in simplest possible means.
Please don't respond with passport js only because I have failed to find anything meaningful there, or maybe it is possible that I am looking at the wrong place.
I am new to all this that is way this problematic.
Thanks for your help.
The most reliable way to implement the token based authentication is to use oAuth2.0 which also involve use of passport JS
Here , use this example as a reference point for implementing the token based authorization
http://scottksmith.com/blog/2014/07/02/beer-locker-building-a-restful-api-with-node-oauth2-server/
This sample code have fully functional OAuth2 server done with just a little bit of work. it uses OAuth2orize library that makes building server very straightfoward.
As you have mentioned that you are using Angular and NodeJS and want to implement Token Based Authentication.
I would suggest you use Satellizer.
Also you can find NodeJS implementation over here:
NodeJS Example.
My answer is for all the beginners out there. I read something similar in facebook's node js group and I think the problem I am facing is not unique.
The passport js which is very famous just works as a middle ware and if you have to include options like google authentication, facebook authentication etc. this is very useful as most of the work is already done and your middleware work is handled by this module.
But if like me you are searching for something simple and all you want is a proper authentication system with database then this might not be necessary, this = passport js module.
You are surely depending on one more module which is complex as well, if you want to implement token based authentication. In the end if you are handling all the authentication work in the middle by yourself, why should you use a module as well which increases complexity in the end.
I even took suggestion from other node js developers who have worked on this for good amount of time and they think it is okay to head without passport js if you are ready to work with middleware yourself and you don't need fb etc. authentication.
I hope this will help others who are new to all this.
Since the question referred to my article directly. Here is the token based implementation using Node.js as the answer.
https://codeforgeek.com/2016/08/token-based-authentication-using-nodejs-rethinkdb/
Hope it helps.

Is it possible to retrieve data from parse.com using objective-c and show it in website?

I have an iOS app in which I use parse.com as backend service. Now, I hired someone to do a website interface using HTML and CSS. I want to share the same data between iOS app and website, I know parse.com offers me a few ways to do this, including creating a javaScriptapplication. The problem is, my programmer doesn't have any experience in JavaScript, nor do I.
My question is: Is it possible to use what I have (objective-c, xcode) as far as retrieving data from parse.com and showing on website? Even if I need to code something new, is it possible to use objective-c together with HTML and CSS?
Thanks.
Parse has several APIs, one of which is REST. Your web developer should use the REST API to get data from Parse
https://www.parse.com/docs/rest
If there is will there is way, but you'll be making something really specific to your use and will be non standard and will be immediately hard to maintain, I recommend that you hire another developer and do things properly using the technologies given to you by parse !. if the cost will be high now I can promise you it'll be much higher if you went the path you're going to now.
So my answer is:
Yes, everything is possible and no, don't do it ! :)
Edit: Added an example to a possible way to do it to actually answer OP's question.
Example case:
1-Create a simple Mac Application in Xcode that fetches data exactly like you do it on iOS, and store the needed data into a database of your choice on your server
2-You now have access to the data you needed from parse, but on a local mirror. you will need some tool to fetch that data though, I recommend a simple PHP script.
Note that this will require an OSX server to always be running to fetch that data, you'll also need of find a way to fetch data on demand when a user needs it Vs. polling at specified intervals, this will hardly scale and will be costly as I said.

Spoofing an API with SinonJS?

When developing an API (in my case an API that wraps around a websockets service), is there a good way of giving it's skeletal implementation to another developer so that he can work independent of me? If my API is still in the design phase for example, I'm thinking that I could give an outline of the methods that will be available and all the possible return types.
I realise that I could just give him a dummy object with all the methods inside but it would be great if that dummy object could be tied in with his unit tests and so on.
I've been looking at [SinonJs][1]: http://sinonjs.org/ and in particular at the Stub functionality it provides. However I am not sure if what I've outlined here is an appropriate use of stubs.
Any advice appreciated!
EDIT:
I guess this question should of been:
'How to write unit tests using Jasmine, Sinon and a mock API'
It was a bit of a silly question because it turns out that Sinon actually has it's own 'fake server' which is very easy to use. In ignorance of this my first idea was to mock or spy on XHR stuff.
The code I ended up with is here: https://gist.github.com/james-gardner/11405316
See 'DummyViewSpec.js' for examples of the fake server stuff. Edits welcome!
If you are asking about an easy way to have a web app (or other REST) API up and running - http://flatironjs.org/ might be a good option for you. It's full JS stack both on the server (node.js) and client. However, you can do an API mockups with any other routing library (search npm - there are A LOT of them).
I hope it helps.
There is a tool to mockup the whole APIs using schema and random data with types
https://github.com/homerquan/kakuen
I created and used it to inject dependance of api

Hiding unique API keys in webOS (Enyo/JavaScript)

How do I hide my private API keys in/for my webOS - Enyo based apps?
My development has basically come to a halt because of this issue.
Since webOS Enyo (as well as Mojo) is coded in Javascript, any user can plug their device in and easily view my source code. So obviously I can't just stick my keys in there. Even if they are encrypted, my app would have to include the mechanism for decrypting them to make any use of them. I'm looking to hide my private web service API keys (mainly OAuth Twitter, Facebook, Google, etc.) and maybe my AWS private keys.
So far the answers I found have stated that you can't secure anything like a private API key in Javascript. But all of those discussions have been dealing with web applications which have easy alternatives to using Javascript. webOS apps don't really have a pretty alternative to coding simple apps in Javascript.
The only path I see possible is to create a proxy that all of my API calls would pass through. Is that the only feasible or ideal option? If it is, would node.js do the trick for me here?
Any leads, resources, examples, tips, etc. would be greatly appreciated. I feel like the answer should be starring me in the face since so many apps connect to these services nowadays, but I have had no leads. Thanks.
No application of any kind that has client-side private keys like this (other than one that is entirely server-wide) is safe from prying eyes. This is true of a compiled C++ app for Windows too. If the application is going to use the private keys directly, then they're in the code or available to the code. Prying eyes can find them. Yes, Javascript might make the code a little more accessible, but this not a problem that's new to webOS or Javascript apps. If Enyo was a PC/Mac cross platform tool, wouldn't you have the same issue with your Twitter keys?
Usually, what is done is the keys are put in some sort of storage mechanism at install time. On a PC, that might be the registry or some config file. Does webOS have an install mechanism? It looks like they have HTML5-type storage - can you store them in there at install time. They won't be hack-proof (nor would they be on any other platform), but they also won't be lying in your Javascript code either.
The other solution to this is to require your developers to get their own keys to public services like Twitter rather than everyone using your own. That keeps you from risking your whole platform when there's one bad customer.
If I've misunderstood your situation, feel free to clarify and help me understand better.
My feeling is that having a proxy is a great idea. The proxy gives you additional benefits of adding user authentication and other functionality without changing the client side.
Take a look at the Key Manager service, which you can use to store your keys without having to code them into your JS files.

Categories

Resources