The "derby" way of user authentication? - javascript

I know there are some packages like derby-auth, every-auth etc., that were written by the community/derby developers.
After a research I noticed that almost all the answers about the authentication mechanics in derby are pretty much a year old. Were there any changes? Is there a "derby" way to manage a simple username/password user authentication?
The official derby documentation says:
Access control
A basic access control mechanism is implemented, but it isn’t documented quite yet. An example is coming soon.
You can mix up your own authentication service, but the key point wold be - is there a way to properly secure you collections to prevent client side intrusion?
EDIT:
I can't find anywhere an example of a simple login and data lock! Is there a way to lock down collections and restrict some of the CRUD methods, like in MeteorJs? Right now, even with the derby-auth package, I am fully capable of mutating the model data trough the browser console, without being logged in.
Such a great framework, but this leak of documentation destroys it all..

AFAIK that is still work in progress: derby is still far from being production ready.
I'm working on a package called derby-passport, which is basically a fork of derby-auth, and I don't think any of these packages is actually an answer to you question. Not yet.

Related

Integrate Payment Gateway into NativeScript App

i am quite new to Mobile App Development, Payment Gateway implementation and NativeScript itself. Now i shall integrate an IPG into a Mobile App build with NativeScript to allow the user to buy goods via the Application (it is already possible to do so via the Website). I do not have any information regarding supported payment methods yet.
Whenever coding something i do have the opportunites to either write it on my own or use an existing open-source API. I've decided to try an open-source API to make it work.
My Problem is that i don't really know where to start. I have been doing some research on "how nativescript works" and Payment Gateway itself. Basically any JavaScript code is going to work with NativeScript, so any open-source API for IPG working with JavaScript should do it for my Application, right? Since i did not find any open-source API's for NativeScript itself, i started looking for any JavaScript API. Sadly, all if found was an API of telecash (https://www.telecash.de/produkte-services/e-commerce/support-fuer-entwickler/downloads-handbuecher/) (watch out, thats a german side), whose documentation seems quite fine, but it did not seem open-source.
So my Question(s):
Can anyone tell me a little bit about any experience you might have with that topic (perhaps just a link or a tip)? Maybe there is even another thing that i should start with that i have forgotten? And i think i did not understand the difference (if there is one) between Payment Gateways itself and IPG. Maybe someone can help me out on that.
I can not post code here since i am still on the "research"-phase (have been for quite a long time), but I can not see any progress within it so I am counting on your help. Feel free to correct me if I did a mistake or understood something wrong I mentioned here. :-)
Best regards.

Back-end solution for pure-Javascript site with link sharing

I'm developer-beginner and I would like to do simple card-sorting site.
hundreds of cards with plain text
no log-ins, it must be as simple for user as possible
few dozens users per day
final state of sorting should be saved under unique link, like site.com/q56we1cfuz4 or site.com/link.php?unique=q56we1cfuz4
User sorts cards as he/she wishes and the result is saved into browser sessions storage (few kb of data in JSON or so). So far, so good.
Question:
As I know only Javascript:
If I need to share the state of the page (data in session storage) with some unique link, is something like Firebase.com good solution for such kind of back-end? Or some simple DB with help od Node.js?
In order to "catch" the link when someone click at unique URL (site.com/link.php?unique=q56we1cfuz4), I still need some server-side script which will ask the DB, like PHP header redirect, right?
Your questions are a little fuzzy, no problem tho. You are just getting into web dev, so there's a lot to wrap your head around and all of the options can be pretty confusing. Some people will complain about opinionated answers, and I'm not going to claim to be objective here, but here are a few tips that I think will get you pointed in a better direction...
Firstly, yes - firebase is a good solution for you to try working with. Aside from the fact that it will give you the db/storage features you need, it's a realtime db, which will give you a lot more than just storage in the long run, and will better equip you for the future web development trends. The firebase API is (mostly) designed to work asynchronously, so from a javascript perspective, it falls right in line with the kind of code you'll end up learning to write.
Re: the other aspect of your question - server-side - check out nodeJS. It's basically a server-side javascript platform that will allow you to use the same skills you're learning to write client-side code for the server. Also check out expressJS, a nodeJS package that provides you the http-server, and allows you to handle dynamic urls, etc. - the bits you were thinking about when you made a reference to PHP.
Hopefully this will help you focus on a few specific tools to familiarize yourself with as you learn web development, rather than having to struggle with everything from new languages, platforms, and way too many libraries, frameworks and techniques to wrap your head around. Good luck!

Connecting to couch db from a webpage

I used to use mysql databases and a php backend for my web applications. Now that I am diving deeper into the the javascript world I am looking for a more compatible way to store my data. I like the idea of writing everything in one language, and javascript seems to be capable to make that job.
I started reading about couchDB and the JSON/javaScipt approach seems to fit perfectly to my needs. My question is now, which would be a convenient way to connect to the database from my pages.
I found this post, which explains how to connect to a couchDB directly from a client-side javascript using a library called couch.js. The post is quite a few years old and the library I cannot find anywhere in the web. So I am asking myself If this approach is still up to date.
I was thought that one important reason for using a server backend is to provide a security mechanism to protect the database authentification process. So: Is it generally secure to save an (encrypted) db pwd in a client side script?
So what I am looking for is a quite simple way to access and store json-like data from webpages. Are there any suggestions?
The hosting of the production solution should also be not that difficult and in the end not expansive, since it's rather meant for smaller projects at the moment.
If the post does not fit to the forum, let me know a better place for it..
I have been using the CouchDB jQuery Plugin for development. At first I was hesitant as well to use it due to most documentation being at least a few years old. So far it has worked really well and been very easy to use, especially if you are familiar with JavaScript/jQuery.
...
You can get the plugin from Github
CouchDB jQuery Plugin
Or you can save it directly from Futon:
http://localhost:5984/_utils/script/jquery.couch.js (where local host is your IP and 5984 is the port CouchDB is on)
Whatever you do, make sure you enable CORS on your database. There are instructions on the Github Readme page, or this script is super useful and easy to use through npm.
...
Documentation can be found here.
This reference has also been very useful for me.
...
Good luck!
I just released Slouch, a JavaScript client for CouchDB that can be used in both the browser and in node. I hope this helps!

Javascript SPA Multilanguage and LocalStorage

I am developing a JavaScript SPA using DurandalJs and BreezeJs as main technologies in the client side. I would like to know what libraries I can use to do my application support different languages. I have been doing a little of searching and I have found that JED.js (http://slexaxton.github.com/Jed/) can be a good option for this task.
However I am not very sure, can somebody recommend nay library for this task, or give me some opinion about JED.js.
Also I would like to ask about some library for store information in the browser. Can somebody recommend me one? I have thought in amplify.js, it gives good functionality for doing request to the server and caching this information. But in my application I am using breezejs, so this part is not needed. I only need to store some data like the username and some little information.
Very thanks.
MY SOLUTION:
I have implemented my system using amplify.storage for storing information in the browser and i18next (http://i18next.com/) to make my application avaliable in different human-languages.
I am not much help on the first part of your question. I'm quite interested in the response myself!
I do have some thoughts on local storage. AmplifyJS is really three independent libraries. One of them, amplify.store, is dedicated to the local storage issue and is worth looking at. You might look at lawnchair. Finally, look at the Breeze DocCode sample for examples of storing full and partial entity caches in browser local storage; it's primitive but gives you hints.

SproutCore Security and Authentication concerns

I've been trying to learn a little about SproutCore, following the "Todos" tutorial, and I have a couple of questions that haven't been able to find online.
SproutCore is supposed to move all of the business logic to the client. How is that not insecure? A malicious user could easily tamper with the code (since it's all on the client) and change the way the app behaves. How am I wrong here?
SproutCore uses "DataStores", and some of them can be remote. How can I avoid that a malicious user does not interact with the backend on his own? Using some sort of API key wouldn't work since the code is on the client side. Is there some sort of convention here? Any ideas? This really bugs me.
Thanks in advance!
PS: Anyone thinks Cappuccino is a better alternative? I decided to go with SproutCore because the documentation on Cappuccino seemed pretty bad, although SproutCore's doesn't get any better.
Ian
your concerns are valid. The thing is, they apply to all client side code, no matter what framework. So:
Web applications are complicated things. Moving processing to the client is a good thing, because it speeds up the responsiveness of the application. However, it is imperative that the server validate all data inputs, just like in any other web application.
Additionally, all web applications should use the well known authentication/authorization paradigms that are prevalent in system security. Authentication means you must verify that the user is who they say they are, and they can use the system, with Authorization means that the server must verify that the user can do what they are trying e.g. can they create a new data entry, or edit an existing one. It is good design to not present users with UI options that they are not allowed to perform, but you should not rely on that.
All web applications must do those things.
With respect to the 'interacting with the back end' concern: Again, all web applications have this concern. You can open up firebug/webkit, and look at all the the xhr requests that RIAs use in their operations, and mimic them to try to do something on that system. Again, this concern is dealt with by the authentication/authorization checks that you must implement. Anybody can use any webclient to send a request to the server. It is up to the developer to validate that request.
The DataSources in SproutCore are just an abstraction around how SC apps interact with the server. At the end of the day, however, all SC is doing is making XHR requests to the server, like any other RIA.

Categories