I have a SSR react app that uses apollo. My app server lives under one domain using express while the graphql server is under another domain. I'm having issues trying to understand how the authentication should work.
Currently on my app server I create a cookie session via firebase's documentation. All is fine with that, but I have a couple questions.
I'm currently using firebase's admin SDK to authenticate the request both on the app server and graphql server. I'm doing this because the initial SSR page gets rendered on the server, while all subsequent requests go directly do the graphql server. The redundancy of the authentication doesn't seem to be the right way to do this. Can someone verify?
If this isnt' the right way to do things, should I set up a simple proxy for all graphql requests from my. Essentially making all graphql request going from the client to my app server, which then goes to the graphql server under the hood?
Any other recommendations how to properly set this up? I'm at a complete loss here
Related
I am implementing a VUE client app running on subdomain client.example.com and Laravel API on api.example.com. I am using webpush package to implement the browser notifications. I have my service worker (sw.js) on my vue app and manages to register the user, store the data to database on the push_notifications table.
The problem comes when I simulate the notification, it is not sent to the browser. I tend to think may be it is because the client app that requested for the permission is different from the API subdomain that triggers the notification.
Is there any way to implement this or my worries not realistic?
I am fairly experienced with Node, Express, and React but new to Next.
I am using Next's middleware to re-write API requests to my backend server (using NextResponse.rewrite).
I am not using Next's API functionality.
I am planning to deploy the app to Vercel.
Some of my APIs need more than 60 seconds to respond. From Vercel's Limits Doc, I see that the middleware function timeout is 30 seconds. Does it apply to rewritten requests (proxied to the backend) as well? If yes, is there a way to extend this? Without it, a Vercel deployment is out of the question and I will have to self-host Next which involves a lot more infra management.
I have a simple web site hosted in Firebase and it is making AJAX calls to REST API endpoints in GCP Cloud Run.
I would like to limit these endpoints only to the calls coming from this site hosted in Firebase. Any call coming from any other origin should not be able to use the endpoints. What is the best way to do this?
When I was not using GCP Cloud Run, I was doing a host check on the API side to make sure that request is coming from my client but now with Cloud Run this is not possible. What else could be done?
Please note that the web-site hosted in Firebase is very simple and do not do any user authentication.
Challenge: Restrict access to a Cloud Run service to a single web application, without relying on:
Restricting access to the web application
Imposing authentication on users
This difficulty is not specific to Cloud Run. It's a general challenge for static sites backed by APIs, and a reason why many sites have authentication. As mentioned in the question comments, a server-side "host" check is not a meaningful security layer, as everything in the HTTP request can be faked. I strongly recommend you not worry about keeping your API private or add user authentication to keep the system simple and access accountable.
If that's not possible, you can still take the authentication approach by creating a single user, embedding the credentials in the site, and rotating them regularly (by redeploy to Firebase Hosting) to prevent credential theft from having indefinite access to your API. Having Firebase Auth in the middle is better than a simple API key because it prevents replay attacks from accessing your API.
I have been working on a web app and I am now looking into hosting said app. This app is a client-side app for right now meaning that all of the work is being done on the clients device and it has no backend other than the web server giving the site to the user for the first time.
I was looking into Heroku but that seems expensive for my app. Then I looked into Firebase Hosting and it looks good but requires the site to have static content. For now I'm pretty sure my app fits that criteria but in the future I would like to have users sign up for accounts and then store the info they give for the app data in a database. Would do database calls to a firebase database make the app non-static/dynamic anymore?
I know I could use Digital Ocean or another server provider but I want to be able to have scaling done for me so I can just focus on the app and not the containers themselves.
It sounds like you might want to build your app with Firebase Authentication for user logins, store data in Firebase Realtime Database, and host all the content on Firebase Hosting. You could probably write the code entirely in JavaScript to run in the browser, but if you did need to write some code on the backend, you could use Cloud Functions for Firebase.
I'm sorry if it's a duplicate question, but I haven't found any answers that answer my question.
I use firebaseConfig to initialize firebase in my app. As far as I know, there's no way to secure keys when using only client-side code so anyone may access my firebase config.
I've read about security rules. But what prevents bad guys from siging up in my app, copying my config, and starting local server, logining in and accessing database data?
I thought about authDomain, but it allows using localhost, even if I can prevent from sending requests from localhost, the app needs maintaining so it's required to use localhost from time to time.
So the questions is how to prevent from signin-up, and using firebase key on localhost.
By the way, is it secure enough to use stripe API payments without in my single page app?