In my application the user is able to create files and to publish them. You need to be logged in in order to create/read/update/delete a file but there's a link with which you can simply view the file (no option to edit etc. and you don't need an account to view it).
Up until now, you needed a token for authentication to create/edit/etc the files in your account, however, if you had the link to the "view-version" of the file, you did not need a link in order to retrieve the file data and to view the file (meaning the route for fetching the data in the view-version was not protected).
However, this seems like a big security risk to me, as you can access the file data (albeit not the user data).
What I came up with is the following:
Besides the file-id, which I use to identify the file in question, I could also enter the token into the querystring, so whoever views the file could be authenticated.
I'm very new to this so I don't know much about what is a security risk. Sending the token in the querystring also seems like a security risk to me but I don't know how else to do what I'm trying to achieve and googling did not get me very far.
To sum it up, my questions are:
1. Is sending the token in the querystring secure?
2. If not, how can I achieve what I'm trying to do?
Related
I am new to web development, but I am building a tool to help us visualize the customers in our database in a more concrete way (basically a CRM of sorts). Its a web app using a node.js backend and Vue.js for the front end.
THE BIG QUESTION - I found a connection.threadId query that can be run. If I save this threadID in a cooke or JSON web token, can I use this to have each user uniquely querying the database? If you need additional information on my issue, continue reading.
Essentially the problem I am running into is authentication. We were able to get a dummy user create that has read only privileges to the database, but this doesnt help the account management team. I am trying to find a way for them to be able to login with their own credentials and then be able to run queries from my node.js (javascript) backend using a series of get and post requests.
I am able to get the user to login with the SQL password and they can run the initial query (that fires upon login) but they then cannot re-query the database if someone else logs in after them (I realized that my variables were all globally scoped on the server.) I then moved everything client side in JSON web tokens, but I had to hash the database password to be safe which leaves me with another problem. My hash and the original database hash do not match, and that is not something I'll ever get access to. Not really sure where else to go with this at this point.
Please ask if you need any additional information to assist.
Thanks!
You probably can't.
You also probably shouldn't use variables on the SQL server for a web app like this. If you can refactor those into variables you can schlep around in the user session (or POST parameters or whatever), you're much better off, being more stateless (as far as the server components are concerned) and all too.
I couldn't come up with a better name for the question so I apologize for that.
In my application you can make an account, create files and send the link of a file you created in a "view-version" to whoever you want.
The routes to create, delete, read,... files are protected, however, the "view-version" is not.
The way I handle it right now is the following:
The link to the view-version consists of the id of the file and a token the user receives upon log in.
When whoever receives the link opens the page, the token and id (that's the id of the entry created in MongoDB) are authenticated and if they are valid the user sees the page.
Obviously, the token times out after some time and I'm assuming that, once the token times out, the viewer will no longer be able to view the page (I didn't actually test this but it just makes sense I guess).
I'm new to creating websites that require user authentication for certain sites so I'm rather clueless about how to solve this.
If I let the viewer access the file just using the id, that'd be insecure since he could view ALL files by trying different id's (a viewer is not supposed to be able to view all files).
So, I guess what I'm trying to do is to publish the view-version of a certain file to a selected audience.
I was thinking about creating a permanent token that I could use instead of the token created when logging in/out so the viewer would always be able to view the files but I'm not sure how big of a security risk that is.
I tried googling how to best go about that, however, my search was unsuccessful.
How is such a concept usually implemented?
Google analytics tracks pageviews.
I would like to use JavaScript to fetch the number of views that a specific page URL has.
How can I do this?
P.S. Google documentation is a mess, all I can find out from it is how to setup tracking.
Doing this purly in javascript is going to be tricky. Due to the fact that you will need authorization to access your data.
Now normaly for a case like this I would say use a service account but in order to use a service account to connect to google analytics, you will need to download a key file. This file must be kept save and secure.
Javascript is client side scripting how can you send a file that no one else should be allowed to access? As far as I know there are no javascript examples for using a service account to access google analtyics i have also been unable to come up with a safe and secure way of doing this myself. If any one has any ideas please comment i would love to hear how you got this working.
The only other option is to go with normal autentication the problem with this is that you will need to autenticate the script. Thats not hard you could then save the RefreshToken some place and pass it to the page. Again this is a problem anyone that then looks at your source code will have the RefreshToken and the ability to access your data.
My recomendation: Use some server sided scripting language like php for example.
If you want to look at the code for doing this in javascript Hello-analytics-api
I dont know if this possible
But I have an ajax function in my javascript and as all, we know we need to provide php file path in the ajax request and this will be visible to all the users and unfortunately they can see the path of the ajax files and where they are stored .but i dont want this to happen i dont want user or client to see my ajax filed Is there a way to hide this path from the client, from seeing the path of ajax files? i know its something obfuscation but i only want the path to be done is it possible?
Update
so is there any way to stop user from viewing or opening php files from the url, I mean if user enters the path of ajax files and hits enter he can see all my files over there and he can easily hack my data so is there a way to stop user from entering them , i want only my pages to access php files not from users url,Thanks
It is not possible. The browser has to request the URI. The user can see what resources their browser is requesting.
"Ajax files" are not a special case. You need to secure them in exactly the same way as any other resource you provide over HTTP. i.e. use authentication and authorisation to make sure that only users who are allowed to access them do, input validation to make sure that any data sent to them is acceptable, and escaping to make sure that the data doesn't cause you problems if you try to insert it into SQL/HTML/JS/any other data format.
Response to update:
so is there any way to stop user from viewing or opening php files from the url
Still No!
I mean if user enters the path of ajax files and hits enter he can see all my files over there
You can configure your server to not serve a DirectoryIndex. The specifics depend on the server. Alternatively you can put a blank index.html file there.
and he can easily hack my data
How?
so is there a way to stop user from entering them
No.
i want only my pages to access php files not from users
Only an HTTP client can request a URI. There is no way to distinguish between an HTTP client responding to an instruction from JavaScript that you have written from one that is responding to user input.
a possible way would be to obfuscate it so that its not user readible. expl; by using a main script and including the file by switching on some POST/GET param your sending (could be a random string, hash, number).
more efficient obfuscation can be acchieved, when you would redirect all traffic to one script via mod_rewrite. Somewhere in the url, you hide a number, that tells you which file to use. Then you add random string before and after it (with specific length) and read it from your main script. But then the user will find out by looking at the javascript.
but srsly. why do you care? there is no security by obscurity!
/updated to your updated question;
I think you want to be looking at your apache configuration; use .htaccess files or better, disable indexing of a directory all together. The user wont be able to know about all your php files. Only the ones, you made public via links in your application. There is no such thing as "only letting ajax access file but not the user". because ajax IS the user and vice-verca! you are sending ajax request on behalf of the user! and if the user enters the url in the browserbar, its the same as sending an ajax request.
You could add a special header with your ajax call (or use the one already supplied), but that wouldn't change anything, as soon as the user looks at the traffic close enought.
What I think you want is a User Session to only allow privileged users to fully execute a script.
Unless you are using jsp technology with apache tomcat, you can place your folders in the WEB-INF.
No.
This is not possible. The client performs the request and the client is under the users control.
I have a client who would like the most recent post displayed on their site (along with like and comment counts) plus a link to the actual post. Their page is public, so I can view it in a browser without being logged in. Let's just say it's Nike.
http://www.facebook.com/nike (public)
http://graph.facebook.com/nike/feed (wait, i need to authenticate to see this?)
I went through the trouble of setting up a dummy app on a dummy account, got an access_token an was able to pull what I needed using javascript(Jquery). The reason I'm doing it this way is because the client has sensitive data and other apps/sites on this server and does not want to involve their IT department to QA my code.
Before final handoff, they'll likely set up their own facebook app on their account. This would significantly raise the stakes if someone decided they wanted to play with that access_token.
I'm mostly a front-end guy who's done some small php sites/apps, so what would you recommend I do?
Thanks for your time!
I don't know about facebook in particular, but typically if you want to protect api access credentials you would proxy the request through your server, and just send the results to the client (so the access key only exists on the server). Alternately, and I'm not sure that facebook provides this, some APIs will give you a user token, which does not expose your access key, but allows the client to call the api.