I'm architecting a public web API for my service. It will be equally consumed by web pages and native mobile apps (iOS, Android and Windows 8).
Should I use cookie-based authentication? I mean, is this the best practice for this scenario?
Futher Info:
After a little research in the authentication/authorization/openId-connect field i realized that most of everything is handled by the browser, by that i mean, the redirects, coockie insertion and related "boiler-plate" stuff... when i think about all that boiler-plate that i will have to duplicate in my natives apps, i wonder if that model is the best for mobile apps. i mean, maybe theres another more mobile-native-friendly way...
Ps: i know that this is a little generic still, it's just that i'm a begginer in the field of security and i dont know how to properly express my doubts/concerns/"laziness" still...
The API itself should really be stateless, and not manage any sessions. Each request to an API should be made with the authentication details (e.g. OAuth token).
If the Web pages and mobile applications need to maintain some kind of session, then it should be up to them as clients of the service to maintain that state. For instance, a Web page might set a session cookie for the user, but a native mobile app might want a completely different approach.
See also: If REST applications are supposed to be stateless, how do you manage sessions?
Related
I want to create web app in Nextjs and in the future mobile app in React Native. But I am confused what api to use. Do you think that the Nextjs api can handle both web and mobile apps? Is this possible and is it good idea at all? Should I use PHP backend for that? Thank you very much.
With the assumption that you are talking about API Routes :
I would ask you that you think through the scale of your web and app. If this is a simple web/app that you do not expect to grow much - The NextJS API which is similar to standing up an nodejs express server is not a bad option.
Remember a few considerations when designing this API
You may have to distinguish the request origin (web/app)
CORS may have to be customized - Next exposes this
You could set an app specific route to ensure isolation or use headers to distinguish behavior if your application bifurcates in the future.
These concerns are shared even if you made a PHP, ExpresJS or any other API middleware.
Once you are past all this, i would ask you to consider
Using a GraphQL server like Apollo that works nicely with Next and is custom built for this purpose..
Evaluating API Gateways for security and scale.
You don't use any external tools at all.
Next JS has serverless model. So, you don't need to mess with BE.
You can create a number of API routes you want. in /pages/api folder. You can even split like /pages/api/desktop and
/pages/api/mobile folders.
You connect your database (MongDB, sql etc) via /middleware/your_file.js. Here is example for MongoDB
If you like, you can even add some security (ex: Auth0, next-auth
etc) to secure your API routes created in /pages/api folder. Example for Auth0
After, you can access you data througth API calls. Very good!
I want to build an instant chat app with flutter without any third party services.
I've been working in a simple app using a restful laravel api for login, multiple methods and logout, using token authentication for each request. However, I find that architecture not suitable for a modern instant chat. I discovered WebSockets, which sound great, but can't yet grasp how I could subscribe to and consume one from flutter. I´ve read about web channels, but I'm not sure how they handle authentication for users. Is it possible to handshake and establish a session from my app? If so, how?
Or, can it be done totally restful? How could I post messages and listen other user's messages in that case?
Besides the chat functionality, is it recommended to work restfully? Or is flutter able to mantain a solid, authenticated session? I'm kinda new in flutter.
I appreciate any info, link or recommendation. Please, refrain if you were going to mention firebase, I want to build my own backend. Thanks!!
You should check out MQTT, an IOT protocol which is currently used for chat applications very widely.
To know about MQTT, see this.
But first I will recommend you to understand Pub-Sub(Publisher-Subscriber) Model, if you understand it then that's great.
For pub-sub model, see this.
Or, can it be done totally restful? How could I post messages and listen other user's messages in that case?
Yes, it can be done totally restful but honestly it's not recommended. You should do it with websockets.
Besides the chat functionality, is it recommended to work restfully? Or is flutter able to maintain a solid, authenticated session? I'm kinda new in flutter.
Depends on your architectural choice. There are many good options on which architecture you want to choose. Apart from restful there is GraphQL also, if you are comfortable with it. Apart from chat functionality mostly you will see people using RESTful but people who know GraphQL, might also use that instead of RESTful.
We're building:
A bunch of services exposed through a web API.
A mobile app and a browser app.
Is it common practice for the apps to respond to their own conduit servers that end up talking to the API services? We're going to be setting up a reverse proxy - is it enough to directly hit our APIs (instead of setting up a conduit)? This is definitely a general architecture question.
I'm not sure what you mean by a "conduit", but a lot depends on how complete and hardened your APIs are. Do they already handle things like authentication, abuse detection/control, SSL, versioning, etc...
There are companies that specialize in providing this "middleware" of APIs (Apigee, Amazon API Gateway, Azure API Management, and many others). Your reverse proxy is a start, and is probably good enough to get going with (at least you do things like terminate your SSL, and lock down your API servers behind a firewall). If you make your API services stateless, you will probably be able to add new layers at a later date without too much pain and complexity.
I need some help with securing a single page multi-tenant saas application.
Questions:
1) What is the best way to implement it? I am trying the build the application using angularjs, spring mvc and REST.
2) Can this be done using Spring Security? Any example with creating login page and securing REST, calls will be helpful?
I have found a sample for implementing spring security with Spring JPA (http://krams915.blogspot.com/2012/01/spring-security-31-implement_3065.html) but it is not for SPA and SaaS.
I understand this a very broad question but i am new to SPA, REST and SaaS so any pointers will be helpful.
Thanks...
I have already participated in two projects with SPA and security aspects. Last of them was GWT + Spring Security. I am sure that you can use successfully Angular and Spring Security together.
Unfortunately there is no built-in config parameter 'we are in SPA mode' in Spring Security AFAIK. So some tweaking / conf from Spring Security side will be necessary. Example:
imagine that during login you call built-in into Spring Security login controller. In a case of successfull authentication by default user will be redirected to index page, where in a case of failure it will be redirected to corresponding error page. It is a normal behavior for standard web applications that will be not so useful for SPA web applications. In a case of SPA you need to detect AJAX call and print JSON with username / roles for successfull cases or send 401 code for failures (then detect 401 in JS and show corresponding error). You can use corresponding extention points from Spring Security to do so: AuthenticationSuccessHandler and AuthenticationFailureHandler.
Some another thing to tweak: by default after session expiration user will be redirected to login page (and SPA app receive login page as a response to the next AJAX call).
Looking into my personal exprience general guide will be like so: after login load list of roles into JS. Use it to show / hide corresponding components on UI side. Apply the same list of restrictions on server side too. To make sure that user do not edit JS in browser (although in a case of minified JS of some medium size app it will very complex task). On the server side you must choose between:
Secure URLs of AJAX calls
Secure some Java methods.
I prefer second one (secure business methods on services). I think it is more convinient because normally we want secure business operations, not some endpoints. As adwantage you will be able expose your business logic via some other protocol, and security will be there already. From other side I can imagine some business requirement to have different permissions for different endpoints / protocols. So it depends more on your actual situation.
Lage size JS applications must be splitted into modules. To decrease direct dependencies it may be better to use events insted of direct calls to cummunicate between modules. There are interesting thoughts of Addy Osmany about how to do security in these coditions. I did not found good link to it, maybe this or this will be helpfull (search "permission").
Feel free to post any questions. Good luck.
I'm currently planning the creation of a mobile application for ios and android.
The application will permit to the end-user to manage and see the progress of its projects. (Web creation company).
The application will have:
Project management (multiple)
View progress
View tasks
View hours
View files
View messages
Login/Logout form + Profile/Edit Profile section
Send/Reply Messages
Add comment on tasks and files
The question is: What is the best way to create an API (Restful or something else) using the Zend Framework?
This API must and will be integrated to a custom-made Projects Management System and a MySQL DB.
I just working on PHP API (no matter if API is for mobile platforms or another webs) and after realizing between SOAP and REST I chose a RESTful API and I can recommend it...
Zend Framework has components for both of mentioned approaches, but REST is easier and more understandable in comp. with SOAP...
The one thing what you have to think about is logging, you can use HTTP Auth or OAuth (HTTP autentification is easier), but better approach according to me is generate unique API KEY for your users (each user should have own KEY) and this KEY ensure you can recognize user and a security risk is minimal because user do not have to send login and password inside HTTP request (security risk) and in case of KEY is catched on WIFI or infrastructure, hacker do not get user logins to web application, only for API where propably will not be all features what main web app offer.
And if you set some time expiration for you KEYs or IP restriction for KEY, than you can make it more safe:)
Some tip for the end: Implement API as new separated ZF module.
One of the best stuffs I have noticed so far is http://getfrapi.com/
It makes use of everything from Zend to Pear. May be you should checkout the video http://www.youtube.com/watch?v=vJVQi7ZFSaQ