I have a website and I want to send data (browser, page, etc.) into bigQuery.
How can I do this using only JavaScript?
You should check out the https://github.com/google/google-api-javascript-client Javascript library.
But the recommended way is to sent first to your backend then use your favorite language to send via REST forward to BigQuery. This would be much much more easier as you can use directly a service account to authenticate to the API. On the frontend the hassle is the OAUTH and obtaining and managing keys.
Related
I am brand new to a lot of Azure technology. I have familiarity with Graph API and JavaScript but have limited knowledge of C#.
Problem:
I need to write an Azure Function that queries an Azure App Registration that has the application permission 'Reports.ReadAll' and I need to do this in a secure method. This is to get data from Microsoft Graph Api. I want to do it in a way without writing the App Registrations Client Credentials in the code as that might be risky.
End Goal:
I am planning on collect the response from the App registration call and getting a url to a CSV file which I will Store somewhere (likely SharePoint). But this questions is about the first part, sending a request to the app registration securely and getting a response.
I have done quite a bit of research so far, and it seems I need to achieve my goal by writing a function in C# or JavaScript (preferably JavaScript, but any solution is welcome). To get the security I need some bits on the Internet say I need to Use Azure Key Vault so I am not store Client Credentials in plain text in the code?
I also need to get the bearer token first it seems according to my research, and I need to then include that in the call for the report's data I need, but I haven't been having much luck their either.
The situation is that there is a backend Web API which requires the front-end page caller provides the authorization data (username and password). And I need to write a front-end web client code to be the Web API caller. (It's a general usage no matter what which language is)
The Web API has only provides the Basic Authorization, no other ways to do it like token or something else.
If I directly wrote the username and password as plain text on the client side code, the user could see these plain text in the source code from browser easily.
I wonder what is the best practice to handle these authorization data in front-end client side page?
Thanks
It would be impossible for you to hide plaintext details leaving a clients machine as there are many places they would be able to intercept it. One solution would be to set up a server in the middle which acts as a proxy between your client and the API. You can have whatever authentication you like on the middle server and you can store your details there safely.
im trying to create a simple website with HTML/CSS and Javascript. Basically the user should be able to input a number into a textfield and "send it" with a button. When the button got pressed i want to run a Javascript function that searches the number in a sql database.
Creating all that stuff shouldnt be a big problem for me, but i have no clue how to create a safe connection between JS and SQL. I have read that a direct connection with javascript is very insecure.
Some people recommend to use java or c# to built an sql connection. How would that work? Basically just an Javascript code, that runs an java/c# application(which builds an sql connection) and returns the needed sql data?
Also heard that its possible to create a sql connection with node.js, is this safe? Or is another method more suitable?
Greetings
I have read that a direct connection with javascript is very insecure
The danger is in giving direct access to your database to the client. JavaScript is most commonly run client-side in web browsers, so for it to access the database you would have to give the browser (and thus the visitor) a username and password on your database server and let them run raw SQL.
There are many possible security risks with this and it just isn't worth it.
(Aside: You can't make arbitrary socket connections with browser-side JavaScript, so it's impossible to connect to most database servers from it anyway).
If you want to expose data to JavaScript running in the web browser, then the standard approach is to write a webservice.
You can write the webservice in any programming language you like (including JavaScript). It listens for HTTP requests, reads data out of them, possibly performs authn/authz, the queries the database (applying the well-documented defences against SQL Injection attacks) and returns the result (often formatted as JSON).
The client-side JavaScript, therefore, just has to make an HTTP request (e.g. with XMLHttpRequest or fetch) with parameters passed in the query string or request body, and process the data it gets back from it.
Connecting to a database using client side javascript is very insecure as the javascript will need to know the login details. And since the client side javascript is on the client side, any user will be able to see the login details in plain text.
The best way to do this is to make a webservice on a server. When the button is clicked it will make a GET/POST request to the webservice with the entered number as a parameter. The webservice, which can be made using any language pretty much, will create the connection with the database and insert the row itself.
Although I would advise going the webservice route since it will be much easier to make secure. Playing with javascript to database is extremely dangerous unless you have a really good system and understand exactly what you are doing; but if you really want to do it and have an application that requires it, then can use PouchDB connected with CouchDB.
PouchDB is run locally and can sync with CouchDB over HTTP.
https://pouchdb.com/
https://couchdb.apache.org/
There is an answer here discussing basic security with pouchDb synchronizing with couchDb. Basically, each person needs separate login credentials and credentials should never be stored in the page code.
PouchDB security
There are some neat uses for pouchDB: https://pouchdb.com/users.html
I need to build a simple (almost) frontend only website (HTML, CSS, JS) and host it on Amazon S3. But I also need to store contact details of people who fill out the form. The only way I have ever handled this type of scenario is the usual way, i.e. by sending the data to the server and handling the CRUD operations on the server side.
But in the current situation, I think that firing up a server (an EC2 instance) will be an overkill (as well as expensive). Is there any way by which I can directly store data submitted by user to the DB? (SQL, NoSQL anything would do).
The closest I got to the Solution is DynamoDB Low-Level API which I have not run but I think that making REST call from the html page would do the trick BUT the problem is that it would expose the Authorization Credentials.
Is there any way I can either use DynamoDB Low-Level API without exposing the credentials? or is there a better solution than using DynamoDB?
If you want to create a serverless website that can store data you should use API Gateway to fire AWS Lambda functions which will verify the data and store it.
I have two separate web apps:
database API
and basic web-client (Flask) with some JS-code (Knockout.js) for interactive
features like filtering products 'on-the-fly', cart, etc.
To implement interactive answers through API I use JavaScript requests running in a user's browser. I want to control access to API and give it only to authorized web-apps, for example, my own client JS-code.
I read about HMAC and Oauth. The key point: the server and the client share the same secret which is used to generate a HMAC, for example.
But how should I generate a HMAC inside a user's browser using a secret and not exposing the secret to others? As I understand, if my JS-code has access to a secret, than anybody on the internet has that access, right?
JavaScript applications are what are called 'public clients' in OAuth 2.0. It basically means they cannot keep secrets and therefore you cannot do client (application) authorization.
So, if you are using a JavaScript application to talk to your API, you'll need to do user authentication and give users access to your API. Or switch to a server side application to access your API.