I have made a simple password protected webpage that provides the link to another webpage when we enter the correct password but we can easily have the webadrress of other page by browsers "View Page Source" feature.So how we can overcome this?
The problem is that you are keeping your secret data on the client and client can easily reach it. So, the only posible way for you is to keep them on the server. But, as far as I understand you need help with server part. So here is small instruction with links to the documentation.
You will need:
Some backend that will take data from your users and returns some responce. I would suggest you to have a look into Node.Js as a platform with Express as a server. Benefit from this setup is that Node.Js uses JavaScript so you have not to learn additional language, and Express is a very simple server to use. Of course, if you want to learn some other languages - you can take C# with ASP.NET MVC framework, PHP or any other nice language.
Some page with form for user's credentials that will post data to your backend. Basic form behavior can be found here
And some code on server that will validate credentials from form and return new page with or without your secret.
That's it. May be it sound a bit scary but there are lots of guides and information your can google.
Hope this helps. Happy coding!
Btw, if you are lloking for the some ready code, I have Node.JS client/server example with TypeScript (JavaScript with type validation) here. All you need is git, hope you already have it, and Node.Js
Then just execute this commands on your console (bash, cmd, etc)
git clone https://github.com/Drag13/typescript-browserify-template
This will download code from remote server to your local machine
npm install
Installs project dependencies - like express server
npm run server
Starts the server
cd..
npm run client
Starts the client
Maybe you will find this helpfull.
Related
I'm working on a decentralized p2p chat system that runs exclusively in the browser. There literally is no server to speak of. I want to persist message history, and IPFS looks like a good way to do that. However, every tutorial and example I can find requires a node.js server, React or Angular (per this)--none of which will work with what I've built.
I have identified some public IPFS gateways that I could potentially use here. But without a server hosting the IPFS api, and no html/javascript exclusive examples, how can I build this?
One idea I was going to explore was running node with express in the browser, which I've done in the past for other projects not using IPFS. But I would like to avoid that if possible.
Is using IPFS without a server hosting the page impossible at this time? What am I missing/overlooking?
I found my own answer and was able to successfully upload and retrieve a file from IPFS using js-ipfs.
One caveat is the example code in index.html at the GitHub link is referencing a local node.js module.
Simply replace:
<script src="./node_modules/ipfs/dist/index.min.js"></script>
With:
<script src="https://cdn.jsdelivr.net/npm/ipfs/dist/index.min.js"></script>
sorry to bother you, but I've been looking for answers and I couldn't find them anywhere... Well i'm a fresh dude in the field of javascript and node.js and here's my problem:
I've created an application based on the tutorial of socket.io - Here's the link to the completed project of their chat example. everything is working as it should, but I would really need to trigger somekind of a command while node server is running... command should be triggered via php script.
The command should trigger an emit event - so every client in our case would see a new message sent via php.
I saw couple of suggestions to do it from another server with php/using cURL. The problem is that I don't know how to fetch POST data sent from php to node.js server.
Any solution to command node with php is more than welcome and again i'm sorry to bother you :)
You can use a bridge to exchange data between NodeJS and PHP. You will need to implement a PHP server that exposes remote procedures and a NodeJS client that calls those remote procedures. You can send any data to the NodeJS application from PHP using these remote procedures.
Here are a few links to get you started:
http://bergie.iki.fi/blog/dnode-make_php_and_node-js_talk_to_each_other/
https://github.com/bergie/dnode-php
I'am searching for days now but could not get an answer.
I would like to do the following:
User connects to editor.html (Apache2 with basic http auth)
User want to open a file (lets say /home/user1/myfile.txt) on the server with his user/pass (same as in passwd)
Node.js Script gets startet with user rights from above and user can edit file
The Node Script will handle the connection via websockets and read/writes files.
I think the biggest problem is that its not possible to run a node script on the server from a web page... and I donĀ“t want to involve any php/cgi scripts... only Apache and Node.js / JS.
Please also comment or answer if you know that it is really not possible...
Thanks!
Kodak
Edit: The workflow should be the following:
User access webpage -> enters his credential (same as in passwd) -> node.js script gets started with the user rights of the logged in user -> files getting read or written with user rights
Biggest Problem: who starts the Node.js script? Apache? How?
I hate to be this person, but...
That is not the way node is designed, it is designed to use the event loop, I would recommend having node serve the static files, maybe using apache as a proxy, then when someone requests a certain page, doing what ever needs to be done, if you really must spawn a child process, use child_process.spawn, as for the rights of the user, I recommend just passing in a code, like 1=admin, 2=user, 3=guest, and the child process can do what is needs.
Use Socket.io - Official Socket.IO Website
You can also use Express with socket IO to create a separate app server. - Express JS Website
You may want to consider security implications of allowing a user to connect directly using their server side account. There are also many applications available that already do this that you might consider implementing instead of writing your own, with all the properly embedded security that will be required.
Let your users GET static auth.html page (via apache) without any authentication.
Let form submit action is some auth.js (Node.js script). This auth.js check if user's authentication is success. If so it starts node.js server, setups socket.io on it and redirects user to some editor.html.
In this case as you can notice that there is an authentication based on node.js scripting. If you want basic apache2 one I can recommend you the next scenario:
There is auth.html and editor.html pages on the server. Last one placed in /private folder and direct access to this folder is denied by .htaccess. So when the user pass apache2 authentication in auth.html he GET this auth.html which is empty document with onload event handler that send AJAX to auth.js (Node.js script). Node.js get private/editor.html and send it to user like /editor.html.
In this case user never has an access to editor without passing authentication. And after authentication node.js server is started and socket.io is setup and everything fine.
I found a solution:
It is possible to write a custom authentication program for apache with mod-auth-external:
https://code.google.com/p/mod-auth-external/
With basic authentication enabled the webserver would pass the credentials to a script/program and this can then run the node app.
On the last section on Platform Security, it mentioned a way to secure the source code in PhoneGap apps.
Reverse engineering is a concern of many people that use PhoneGap since one can simply open an application binary and look at the JavaScript source code of the application. One could even go so far as to add malicious JavaScript code, re-package the application and re-submit it to app stores / markets in an attempt at app phishing. This practice could be undertaken with any application whether it is written with PhoneGap or otherwise since it is a similarly simple task to decompile either Java or Objective-C.
PhoneGap can actually get around this security concern since application developers can download JavaScript in their application at runtime, run that JavaScript, and delete it when the application closes. In that way, the source code is never on the device when the device is at rest. This is a much more difficult prospect with Java or Objective-C let alone the restrictions in the App Store around dynamically running Objective-C code.
However, I would like to know how can I prevent others to download my source code on server?
I'd suggest annotating your code and then running it through Google's Closure Compiler, which will obfuscate it and perform certain optimizations. This will make it very difficult for people to read your code, but beyond that you're just going to have to live with the fact that JS is a client side language.
How about the following pattern:
Embed a bootstrap JavaScript with your app that does enables user/device authentication against your server. Do what you can to obfuscate the bootstrap code.
Keep the main logic of your app as JavaScripton on your server (can be accessed by authenticated users)
After authentication, download the main logic JavaScript at runtime, run that JavaScript, and delete it when the application closes
Continuous upgrading follows painlessly.
I would suggest:
Obfuscate most/all of the JS code. Google's Closure Compiler is good option.
When App gets started:
Have some hashcode stored on device which needs to be verified before making a call to server for dynamic data fetch
During App startup, first push the App hashcode to server in order to verify the App authenticity and Server will check that hashcode in order to verify the legitimacy of the App
Once Server has verified the App legitimacy then Server can send another hashcode or keep using the same one. Plus server can set custom cookie parameters too...it all depends on the architecture of the App & Server communication. So set whatever is best to your needs
Once App legitimacy has been verified then all calls from device to server should contain the same hashcode or cookie and server will verify it first before answering to the call.
Rather then sending new js code , its better to push json dynamic data and keep the js code obfuscated on the device.
I would really enjoy avoiding the use of PHP for authenticating users on a website I'm developing, and I was wondering if I could use a SQL database, Apache sans PHP, HTML, Javascript/JQuery, and CSS to accomplish this? I know it's a far-fetched idea probably... but I would be happy if I could.
PHP is a single web development language, there are tons of options.
Ruby, .Net(C#/VB), Java, Python are some common alternatives.
You could work something out with JavaScript, but it would likely be sacrificing quite a bit of functionality/security.
Apache does have some modules like mod_auth_mysql that let you do authentication, but it doesn't look like it's been updated in awhile. The login box will be a pop-up box from the browser that requests username and password. You won't be able to put a Username/Password box on your page like other sites do.
If your webserver can't handle the authentication, you need some sort of "glue" that goes between your server and the browser to handle the authentication piece. PHP does a good job of that, but any of the languages Ryathal mentions would work as well.
If you do use javascript, remember that all of the source code used to secure your site is visible to whoever has the knowledge to look at it.
Yes you can use authentication methods built in to .htaccess if the right modules are enabled in your Apache installation.
This is only basic http authentication though so you would just get a popup box and you cannot log out unless you close the browser I don't think.
Authentication, Authorization and Access Control - Apache HTTP Server
You would need to use a command line utility called htpasswd to generate the user files.