Accessing Amazon RDS from javascript - javascript

I'm interning for a company and have been given an assignment. I'm to write a Javascript script (it's for internal use only; security is not a concern) that accesses an RDS database on an AWS instance, grabs a list of email addresses, and uses the server's smtp to send emails to the whole list. The problem is that I know nothing about AWS and RDS. Here are the things I was provided:
--Server address, port, and credentials file of smtp server
--Address of AWS DB, and its username, password, database name, and table
--The company's server url, security key, and I was also given SSH and SCP commands.
Where do I start learning how to do this? I feel like it's within my grasp, but I just don't know the overall process of what I need to do to get this information. I've never used SQL or RDS before. Any direction whatsoever would be appreciated!

Try to break the problem down into chunks:
Write your Database Query as SQL
If the RDS database instance in question is publicly available, try to connect to it with your preferred (GUI?) SQL client, and inspect its tables. Figure out how to write the SQL query you need in order to grab the e-mail addresses you'll need in the next step, e.g. select email_address from users where user_type='Internal'. The w3schools SQL Introduction is a good place to start.
If the RDS database instance isn't publicly available (i.e. if you can only connect to the database from within AWS - from the server on which you plan to run your code), then figure out how to log in to that server using SSH or RDP, and then use a database client on your AWS server to write and test your SQL query.
Check first that you're not logging into a production machine that you could break by mistake.
Use a Server-Side program to run your SQL query
You must then connect to the RDS database instance using some code that runs server-side. If you're using a server-side JavaScript environment such as NodeJS, this is fine, but whilst it's potentially feasible to use JavaScript directly from a browser to connect to a database, it's not good practice, even for your assignment, so make sure you're using some server-side code.
Find out what your company's usual platform is (Java? Python? PHP? NodeJS?) and go with that. Search the internet for example code - you'll easily find some, because querying a database is an extremely common programming task. Since you've already got your SQL query, you'll be able to write some simple code that connects to the database and grabs your desired email addresses. For now, just have it print them out to a log file or to the console.
Send a test e-mail
Separately, in your server-side program, figure out how to connect to your company's SMTP server and send an e-mail to yourself, as a start. Again, search the internet for examples in your chosen programming language.
Once you've done that, define two or three e-mail addresses in an array or list, and figure out how to send the same message to these users simultaneously.
Connect your Database Query Code and SMTP Code
You're able to query the database, and you're able to send an e-mail to multiple users. Now add to your code to join those two functions together. Don't spam everyone in your firm and get yourself fired!
You mentioned JavaScript
Make sure you are clear about the requirements of your assignment. Should the program be started from a browser? Does a user need to click a button on a webpage saying 'Send Email'? If so, figure out how to submit a request to your server to have the server-side code execute. Search the internet for examples of POSTing HTML forms from JavaScript.
Good luck!

Related

Sending HTTP messages to a specific client connection/web session using cURL/NodeJs scripts with SSEs

Hi so first I apologize if my query may seem unclear, it’s first trying to do what I’m doing and I haven’t full idea around the intricacies and lingo lol.
So basically I’m running a NodeJs web server with React handling my front end. I’ve got Express to help manipulate user sessions and I just came by Server-Sent-Events as a way to send one-way messages(which is what I need to do). So far I’m able to send updates and messages via cURL on the terminal and running JS scripts, however these updates/messages go to every active client session but I want/need to be able to send these messages to specific active client sessions/connections.
Example: 5 client connections are established (session IDs A,B,C,D,E), now I want to send an alert message to session E only and manually.
I’m still green with NodeJs/Express and the concept of SSEs however I’m learning as I go for this pet project.
Send help
What you want is how SSE works. It is a dedicated connection between a client and a server process.
however these updates/messages go to every active client session
If that is what you see then your node script is running the exact same code for each client.
I think your question might be higher up - how to organize the data messaging? That is too big a topic for a single StackOverflow question, because it will depend on so many factors specific to your use case.
But one way would be to have an SQL database, with one record for each user. The node script polls that database table and if the record for the current user changes, it sends the new data to them. Then to send data to user E, you just edit the database record for user E.

How to implement a client to server connection that is secure and syncs

I’m struggling to understand how the pouchDB interactions should be implemented. Say I want an offline-first app with syncing and auth, would I need to implement a middleman such as a node server to ensure my credentials to my main server are protected as having a PouchDB on the client with new PouchDB(‘name’, ‘https://username:password#server/dbname’) my creds to my main database are exposed. Would it be better to connect to a node server and that decide wether or not to allow access?
How would this be done? Can I handle a direct connection to the server with auth and it be secure? Or is a middle man needed to ensure security.
If a middle man is needed will you need to implement a sort of api i.e
//client
const db = new Pouch('days')
db.sync(remote)
//server
app.get('/db/days', (res, req) => // do some pouch stuff for each db)
https://github.com/pouchdb-community/pouchdb-authentication
Somewhat simplified, if your application is backed by an application 'master' database and it runs using a single set of credentials, you need a middle layer: you will then need to multiplex all users' data into a single database.
Applications backed by CouchDB/Cloudant often instead use the 'database-per-user' pattern, meaning that each application user have their own database, and their own credentials, meaning that a lot of things become simpler, conceptually, and a middle layer might not be required.
Note that the 'database-per-user' pattern needs some thought to scale well if you intend to cater for millions of users.
On Cloudant you can also use API keys to define access.
If you want the simplicity of the db-per-user pattern without (some of) the drawbacks, you may be able to draw some inspiration from Cloudant Envoy (https://github.com/cloudant-labs/envoy) -- a thin proxy that multiplexes users' data into a single db, whilst still presenting the db-per-user API surface outwards. Disclaimer: I'm one of the authors of Envoy.
Another approach that I use depends on crypto-pouch (https://github.com/calvinmetcalf/crypto-pouch) to encrypt all of your databases on the client. The first time the site is visited, username/password is required to access a cloud couch instance and get things installed on the client.
During this process, a pouchdb database is created on the client for each possible user (retrieved from the cloud couch instance), with each database encrypted with the user's password, and in each database is placed a single document that contains a master password. In addition to these user databases, the 'main' database that stores real data is created and encrypted with the master password.
Subsequent visits to the site whether online or offline, will require the user to enter their username/password, which will attempt to unlock the appropriate user database and get the master password, which is then used to unlock the main database. Only with the master password can the data be accessed and a sync performed to the cloud instance.

Restrict the registration for a machine C#

I have a web application that has form based authentication.
the application has registration functionality also. Since last few weeks, i have observed that some users with specific domain is making fake entries into the website and getting the benefits as We do not have any approval workflow.
this user either do it manually or run some script. We thought that we can restrict the registration process as per IP based, however this is not possible to get the visitor exact IP address using C# (please correct if i am wrong).
Can we do it using some other techniques. our requirement is - single registration from a machine per 2 days.
unfortunately I would call this mission impossible.
Idea 1: IP address. The user can use a proxy to register multiple accounts depending on how many proxy he can find (there are a bunch on the internet for free)
OR they could just fake the ip package by putting a random ip in the header. Since all they need is to register so it doesn't matter if the confirmation message was sent to another random guy
Idea 2: one registration per machine. I could fake as many machines as I want with virtual machine and you will have no way to tell from http request.
Alternatively I could just fake all the information with raw http request and I can do that with a script with no issue.
And from what I know you don't have the system right to read hardware id from js (correct me if im wrong)
No method is guarantee to restrict 2 registration per day but IP based method should work against most normal users. Do keep in mind that everyone using the same router could have the same IP (example school, public wifi in apartment)
You could find out the user's IP address within HttpContext object
Whatever your restriction would be - it will be based on the data the browser sends (as long you restrict a specific computer).
Your main desire is to create a "footprint" on that machine in order to use it later - per request.
Whatever your manipulation would be, you should also obfuscate your JS code.
for example, on pageload code you can request for httpheaders dedicated to that machine and save them in cache, then you generate a guid for the client which it suppose to use in order to register.
another option is to use AES to encrypt the data before sending it "on the wire", that way you won't be able to manipulate it.
the most important thing is that once you "drop" a js code on the client he can do whatever he wants, the question is how hard it would be.
**edit:
a more secured way but more complicated that i have once used is creating a sync-key.
an async ajax call to the server requesting an encryption key.
the server call will save the new guid-key in memory and will generate a new one for each request.
you can use this idea to keep track of user debug and browser behavior.
as debuging will hold the code from running the sync key will be change and you can "catch" him.
Neither cookies nor IP can protect against fake entries.
You should look at it from another side. You get unwanted entries and you don't know if it's an automated bot, or spammer, or someone who just doesn't care about your data. Instead of banning entries you should think how to validate them. For example, if you get "aaaaa" as a name and "bbbbb" as an email address - add, at least, regexp validation on client and server side to ensure you get data in a required format. Next level would be to verify the email address by querying the mail server or sending validation email. This will not only help to stop spammers, but also people who doesn't care. If you think it's an automated bot - add a captcha. In case of emergency - ban IP in the web.config (See ASP.Net How to limit access to a particular IP address to a particular page through web.config file (.htaccess similar)?)

Can I make Google Drive Spreadsheets act like a MySQL database?

Can I use a Google Drive spreadsheet as if it were (similar to) a MySQL database?
I'm thinking of using it as a player database for an HTML/JavaScript web game. The player's username, password, and score among other things would be saved in the database. It would be really interesting if it could actually work, however it of course has to be secure and private so that no player (or anyone on the internet for that matter) can access it except the owner of the spreadsheet which would be me for example.
I know that Google Apps Script allows a user to access their own spreadsheet and read/write to it, but is there a way that I could allow other users to "save their score" to MY spreadsheet WITHOUT giving them permission to view/edit the spreadsheet directly?
Also, i'm assuming PHP/Python/some other server-side language would have to be used in order to hide my account info which I also assume would be needed to open and close the connection with my spreadsheet.
Anyways, I'm just wondering if this is feasible.. literally turning a Google Drive spreadsheet into a database that players can update their score to but not have direct access to it.
This may be a stupid idea, so your opinions are welcome!
Thanks in advance!
This is the right way to do it.
Another post explaining the same idea.
Essentially, we publish the spreadsheet and query it using a "select"-like syntax. For instance:
this query which reads something like:
https://spreadsheets.google.com/tq?tqx=out:html&tq=select+B,C,I&key=phNtm3LmDZEObQ2itmSqHIA
This is for querying data (reading). For inserting, you can use google forms (create a form, see its html and submit using a http post request). I have not explored update yet.
And yes, this has to be done server side.
Answers saying you need an extra server or oauth are incorrect.
Just publish an appscript (anonymous public) service using your permissions. For all operations always pass the username and password thus you validate users on every call. Call the service from client js using ajax.
Store it in scriptdb [update: scriptDb is deprecated now]. If you use spreadsheet for storage it will get slow with many rows.
In any case it will be slow if you use appscript.
Without a server-side service that implements another authentication layer for client libraries and use Google auth to talk to Drive, this is not possible.

database entry through javascript

I'm need to know can i connect db through javascript? Actually, the last action where i end is done through javacsript. Now, i need to make some entries(extracted through javascript) in the database where last action stops. How can this be done?
The answer depends on where the Javascript being run.
If you're asking about Javascript running in a browser directly accessing a database on a remote server then the answer is no. The best you can do is create a web service which updates the Database and call that via an XMLHTTPRequest object from you JavaScript. You would need to be very careful about what you offered via such a web service. If you allowed any SQL statements anybody could connect to your service and run DELETE FROM customer; or insert new user records or do anything ghastly.
If you're running JavaScript through the Windows Scripting Host via CSCRIPT.EXE or similar you can create ODBC objects and access the database that way.
If you're running JavaScript on a JVM I think you can use JDBC.
If you want to give more details I can be more specific.

Categories

Resources