Menu
I'm a client-side guy that just stepped into the world of server-side javascript. I've got this idea about how I think I want to build my first Nodejs application. I want a server-side that pretty much only serves an empty shell and lots of JSON. I want to put the rest of the logic in a Backbone.js-equipped front-end.
So I quick whipped up a small application (code in the bottom) and I've got a few questions.
Are session variables safe? Can I use session variables to store an user identifier that I later read to fetch sensitive date. Is it possible to modify sessions variables so that, in my case, one user could get hold of another user's data?
Does it make sense to serve JSON in the way I'm doing it on my '/profile' route. In my application there will be a lot of routes just like that one. Routes that fetch something from the database and serves them as JSON to the client.
Looking at my code, do you have any tips or tricks? Things I should do differently. Modules I probably should have a look at?
Does my idea of an almost JSON-only backend makes sense?
My application below.
var facebook = {
'appId' : "my app id",
'appSecret' : "my app secret",
'scope' : "email",
'callback' : "http://localhost:2000/"
}
var express = require('express');
var MongoStore = require('connect-mongo');
var auth = require('connect-auth')
var UserProvider = require('./providers/user').UserProvider;
var app = module.exports = express.createServer();
// Configuration
app.configure(function(){
app.set('views', __dirname + '/views');
app.set('view engine', 'jade');
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(express.cookieParser());
app.use(auth([auth.Facebook(facebook)]));
app.use(express.session({secret: 'my secret',store: new MongoStore({db: 'app'})}));
app.use(express.compiler({ src: __dirname + '/public', enable: ['less'] }));
app.use(app.router);
app.use(express.static(__dirname + '/public'));
});
app.configure('development', function(){
app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
});
app.configure('production', function(){
app.use(express.errorHandler());
});
// Providers
var UserProvider = new UserProvider('localhost', 27017);
// Routes
app.get('/', function( request, response ) {
if( !request.session.userId ) {
request.authenticate(['facebook'], function(error, authenticated) {
if( authenticated ) {
request.session.userId = request.getAuthDetails().user.id;
}
});
}
response.render( 'index.jade' );
});
app.get('/profile', function( request, response ) {
response.contentType('application/json');
if( request.session.userId ){
UserProvider.findById( request.session.userId, function( error, user ){
var userJSON = JSON.stringify( user );
response.send( userJSON );
});
} else {
response.writeHead(303, { 'Location': "/" });
}
});
app.get('/logout', function( request, response, params ) {
request.session.destroy();
request.logout();
response.writeHead(303, { 'Location': "/" });
response.end('');
});
app.listen(2000);
console.log("Express server listening on port %d in %s mode", app.address().port, app.settings.env);
500
Socket(); client. connect(PORT, HOST, () => { console. log(`client connected to ${HOST}:${PORT}`); // Write a message to the socket as soon as the client is connected, the server will receive it as message from the client client.
I think you have the right idea, although I'll throw out a couple of thoughts:
As for security, setting your session timeout to a lower value and choosing an appropriate secret key would probably go a long way toward making sure someone can't generate session cookies (by default the actual data isn't stored on the client). I'm not sure what algorithm node.js uses to generate session cookies. Here are some details on the express session middleware.
125
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
