node.js (with socket.io) security? - javascript

since I am learning node.js I was wondering about something:
When I use node.js server to run a websocket, so that clients can connect (like on a website via javascript), it always listens public. Isn't that a security problem, that everyone in the world would be able to send data to the ip:port. They just have to connect to the server via the data that are written anyway within javascript and send / receive data?
I was thinking about a token, which would make sense in Java or Swift etc, but in javascript it can be seen anyway?!

TL;DR: yes, It's totally secure.
Every time the browser sends an HTTP request, there is a port waiting for the server's response. The difference between this to an open port is that an open port is open for everyone on the web. In an HTTP request or web socket, the port opens only to the server.

Related

How to hide requests from a client react js website

I have a C# server side web service. but I don't want user can to see my requests like request tab from client's browsers.
now, I haven't been find any solution on SO.
what is the best solution to do this?
I think I can use a node.js server-side and render my reactjs inside it and my node.js send my requests to C# server side. like this:
React.js<--(render)--Node.js--(Send/Receive api's)-->C#
I don't know if I use a node.js server, my requests will be hidden from clients?
I don't want to use reactjs.net.
If you're making a HTTP request to node server, and making the stealth request from NodeJS to another server, that request will not be visible to the client.
Alternatively, you can make an encrypted request. Although URL and some part of encryption algorithm will still be exposed at client's end.

Alternate of server polling?

As we know, if running application also manage sessions in main memory then is there any way for server to send responses to all web clients/browsers for new recorded data in a database.
Remember: I have not made any request to server or polling to server for new records update..
Let server make responses without web request..
Objective :
No all web browsers making request or polling to server for every certain interval therefore reducing the performance issue with the application memory..
Am just against of making so many ajax calls from every web client..
Need your ideas from your past, if experienced similar..
read about websockets and socket.io.
basically with socket.io you have a connection open between browser (client) and server and server can send data which the client than receives as an event.
the client doesn't need to send a request to get that data, only open the web socket connection.
you can look at socket.io chat example: http://socket.io/get-started/chat/
WebSocket is the best and easy solution if you don't want to go through the hassle to learn Angular or others.
Both server-side and client-side can build WebSocket, and it acts as a bridge to transmit data back and forth.
I just created an easy solution for this.
Please check my new library wsm - WebSocket Manager, it works for both server-side and client-side.
Websocket Server can be built easily; this library includes several useful features.

Express web sockets and a central server

I'm creating an app where the server and the clients will run on the same local network. Is it possible to use web sockets, or rather more specifically, socket.io to have one central server and many clients that are running native apps
? The way I understand socket.io to work is that the clients read the web-pages that are served from the server but what happens when your clients become tablet devices running native apps instead of web pages in a browser?
The scenario I'm working with at the minute will have one central server containing a MEAN app and the clients (iPads) will make GET requests to the data available on the server. However, I'd also like there to be real-time functionality so if someone triggers a POST request on their iPad, the server acknowledges it and displays it in the server's client-side. The iPad apps will (ideally) be running native phonegap applications rather than accessing 192.168.1.1:9000 from their browser.
Is this technically possible to connect to the socket server from the native apps or would the devices have to send POST requests to a central server that's constantly listening for new 'messages'? I'm totally new to the whole real-time stuff so I'm just trying to wrap my head around it all.
Apologies if this isn't totally clear, it's a bit hard to describe with just text but I think you get the idea?
Correct me if I am wrong.
You have multiple iPads running native app. They send a POST request to your node JS server which is running in a computer in the same local network. Whenever the server receives a request from app, you want to display that a request has been received in your computer screen.
If my assumptions about the scenario is correct, then it is fairly easy to do. Here are the steps to do it.
Create a small webpage (front end). Load socket IO in the front end page like this -
<script type="text/javascript" src="YOUR_SERVER_IP/socket.io/socket.io.js"></script>
Then connect to server using var socket = io(). This should trigger connection event in your backend.
Handle all POST request from apps normally. Nothing special. Just add a small snippet in between. socket.emit('new_request', request_data). This sends new_request event to front end.
Handle the new_request in your front end using socket.on('new_request', function(request_data) { ... });. That's it. No need to add anything to your native app for realtime update.
The second step would be a little complicated as it is necessary to make socket variable available inside all POST requests. Since you chose node.js, I don't think you need any help with that.
Not totally clear on your project, but I'll try to give you some pointers.
An effective way to send data between native apps and a server is using a REST server. REST is based on HTTP requests and allows you to modify data on the server, which can connect to your database. The data returned is typically either JSON or XML formatted. See here for a brief intro: http://www.infoq.com/articles/rest-introduction
Android/iOS/etc have built in APIs for making HTTP requests. Your native app would send a request to the server, parse the response, and update your native UI accordingly. The same server can be used from a website using jQuery ajax HTTP requests.
Express.js is more suited to serving web pages and includes things like templating. Look into "restify" (see here: mcavage.me/node-restify/) if you just want to have a REST server that handles requests. Both run on top of node.js (nodejs.org).
As far as real-time communication, if you're developing for iOS look into APNS (Apple Push Notification Service). Apple maintains a persistent connection, and by going through their servers you can easily send messages to your app. The equivalent of this on Android is GCM (Google Cloud Messaging).
You can also do sockets directly if that's easier for you. Be careful with maintaining an open socket on a mobile device though, it can be a huge battery drain. Here's a library for connecting ObjC to Socket.IO using websockets, it may be useful for you: https://github.com/pkyeck/socket.IO-objc
Hope that helps!
To answer your question, it is definitely possible. Socket.io would serve as the central server that can essentially emit messages to all of the client. You can also make Socket.io listen for the messages from any of the clients and serve the emitted message to the rest of the clients.
Here's an example of how socket.io can be used. Simply clone, npm install, and run using 'node app.js'
All you have to do is to provide a valid server address when you connect your socket from the iPad clients:
var socket = io.connect( 'http://my.external.nodejs.server' );
Let us know if you need help with actual sending/receiving of socket events.
It is possible to connect to Websockets from your apps.
If you are using PhoneGap then you need a pluging that gives support to websockets in your app (the client) and then use websocket like normal way using Javascript see this.
If your app is native iOS look into this it could help you.
The primary use of the Sockets in your case is to be a bidirectional "pipe" between an app and server. There is no need of server sending the whole web-page to the native app. All what you need is to send some data from server to the client(app) in response to POST (or GET) request and then using this data on client side to update client's UI in real-time. If you are going to use moderate amount of devices (say tens of them), you may have connected all of them to the server permanently keeping individual socket connection open for every individual link server-to-app. Thus you may deliver data and update client's state in real time.
In fact web browsers also employ sockets to communicate to web servers. However as in general case there is no control on amount of concurrent clients in Internet, for the sake of limited networking resources conservation, servers do not keep sockets open for a long time, closing it just after the web-page was sent to client (or timeout has expired). That's how HTTP protocol works on the low level. The server waiting for the HTTP clients (browsers) by listening the 80 port, responding them by sending the whole web page content, then closing the connection and keep waiting for another requests on the same port.
In your case it's basically a good idea to use socket.io as it's a uniform implementation of sockets (ok WebSockets) on both client and server side. The good starting point is here

Maintain a backend connection on NodeJS across page requests?

I'm making connections via thrift (node-thrift) to a backend server to make api calls, but the communication is bidirectional (push/pull) to NodeJS.
While a user is browsing around different URLs, and Node is churning out jade templates and javascript files via Connect/Express routes, how do I maintain the connection to the backend server, and output (as an example) the connection status as part of the rendered jade output?
I have the connection object, but what do I do with it?
Sockets and port communication is generally a new area for me, so any help would be appreciated.
Keep in mind that backend server is not communicating to the web browser as the client, but rather the NodeJS server as the client.
(updated after discussion in comments)
So it looks like thrift is TCP-based which means the node client is going to keep the connection to your thrift API server open. This is entirely independent of what your node/express app server is doing with the browser clients. So if you keep a reference to your thrift client available to all requests, by attaching it to the app object for example, you should be able to determine it's current status and include that information in HTTP responses to the browser. There's not going to be any automatic coordination or association of any kind between your express app server handling browser HTTP requests and your thrift client making RPC calls to the API server. If you want coordination, you need to code that explicitly, but sending an HTTP response to a browser isn't going to automatically close your thrift TCP connection to the thrift RPC server (and same story vice versa).

Server WebSockets and server http with node.js

All
I am developing an application which needs to communicate with WebSockets with customers online in the browser. For this I started with Node.js to create the server, so far so good, my problem is that there is another application that must communicate via http POST to my server then passes this information to my server my server passes to clients web.
I am new to the use of this technology so I apologize if I say nonsense.
1 - I can send a POST request to my server WebSocket, the application that connects customers via WebSocket, Server, may also receive the POST request and send this information to each client by ws?
2 - There is a way to open a client socket with a tag that allows me, server, send information to that client only and not at all, depending on a parameter. I want to know that each socket belongs to a specific customer and only send information to that client.
1.) If I understand you correctly then you want to broadcast information through websockets to other clients. Just take a look at the node.js modules socket.io or ws.
2.) You want to open different sockets for different urls? Like a separate websocket connection for /foo/a/bar and /foo/b/bar? Have a look at my answer here

Categories