I'm new to gRPC, and I've tried to search this, but can't seem to find any reference to method calls that send and receive primitive types. I created a method where I send a string, and return a bool (in C#, bool IsPhoneNumberValid ( string PhoneNumber)
In their simple sample posted on their web site - HelloRequest, and HelloReply are listed as a message with a single field. Is this the standard practise in gRPC? I would like to see a reference to this is as the best practise, or what am I missing in the documentation?
It is my understanding that the parameter and return type for all gRPC method calls are to be protobuf messages. Since the primitive types are not protobuf messages on their own, then they are not accepted as valid parameters. Google provides some wrapper types that are, in my understanding, to support nullable types and are in fact protobuf messages (google.protobuf.StringValue). You can pass these as parameters to methods.
Related
With the latest Firebase Update callable functions were introduced. My question is whether this new way is faster than the "old" http triggers and if it is more secure.
I have no expertise in this field, but I think the HTTP vs HTTPS might make a difference.
This is interesting to me because if the callable functions are faster, they have that advantage, but their disadvantage lies in the nature of flexibility: They cannot be reached by other sources.
If the callable functions have no advantages in terms of speed or security I do not see a reason to switch it up.
Callable functions are exactly the same as HTTP functions, except the provided SDKs are doing some extra work for you that you don't have to do. This includes, on the client:
Handling CORS with the request (for web clients)
Sending the authenticated user's token
Sending the device instance id
Serializing an input object that you pass on the client
Deserializing the response object in the client
And on the backend in the function:
Validating the user token and providing a user object from that
Deserializing the input object in the function
Serializing the response object in the function
This is all stated in the documentation. If you are OK with doing all this work yourself, then don't use callables. If you want this work done automatically, then callables are helpful.
If you need direct control over the details of the HTTP protocol (method, headers, content body), then don't use a callable, because it will hide all these details.
There are no security advantages to using callables. There are no speed improvements.
I have an existing service that notifies a large number of clients when an event occurs. It uses a long polling mechanism that I rolled myself. I'm exploring replacing that mechanism with a signalr hub, and have a prototype working. But it has a pretty significant inefficiency that feels like there should be a solution to, but I'm not finding it.
I understand the idea of groups in signalr, and groups are obviously intended to prevent this inefficiency, but there is a reason that I cannot use groups. I hope it suffices to say that I need to call the same client method, with the same parameter values, on many clients using each client's ConnectionId. I can explain why if necessary, but it's really beside the point.
Assume I have a list of 200 ConnectionId's and I need to call the same method on each of them passing the same object parameter. If I simply iterate through the ConnectionId's calling Clients.Client(ConnectionId).clientMethod(param), I presume that the param object would be serialized 200 times.
Is there a way to serialize the parameter(s) one time, then invoke the client method using the already-serialized parameters?
UPDATE
I've found a github issue that sounds related (maybe even this exact issue) at Allow to Send Json Strings without duplicate Serialization. It appears that the functionality was added to signalr, but the github issue doesn't say anything about how to do it, and I can't find anything regarding it in the signalr docs.
UPDATE 2
In the github issue referenced above, the new functionality was implemented for PersistentConnection only -- not hubs. With persistent connections, when sending a parameter of type ArraySegment, signalr assumes it to be pre-serialized and sends it as-is without serializing it.
For some reason, this was not implemented for hubs, although it would be useful for hubs for the same reason it was useful for persistent connections.
Store all connectionId's in a Static List<string> atOnConnected` event and use the following,
Static List<string> allconnections = new List<string>();
public override Task OnConnected()
{
allconnections.Add(Context.ConnectionId);
return base.OnConnected();
}
Public void YourServerMethod(params)
{
Clients.Clients(allConnections).clientMethod(params)
}
I have a Webservice class. It has methods like AddStudnet, RemoveStudnet, UpdateStudent etc. These methods take parameters like StudentID, FirstName, LastName etc. All these methods have one common parameter - Api Key. The constructor does not take any parameters. So, in all my methods I'm authenticating the Api Key. If it's not a valid key an error message is returned.
Instead of authenticating in every method, how can I authenticate the api key in the constructor and prevent the object from getting instantiated? When I was researching on preventing the object from getting instantiated I came across throwing exceptions. If I go with throwing exceptions, will the webservice be exposed to any security vulnerabilities? Is there a different approach to prevent the object from getting instantiated if a invalid api key is passed?
Here is two article that will give you a kick start and show you basic implementation of API Key :
First by Ron Jacob :
How to do API key Verification
Second, How to use the API Key with the constructor:
How To Authenticate API Key In The Constructor
Most important thing is to verified the key in each call with this :
InstanceContextMode = InstanceContextMode.PerCall
That line of code is forcing a call to the constructor on every request, so every request the API is verified.
Hope that help you.
Looking at a third party API (HTTP) and it can return data (XML) in different structures (NOT different types - JSON, XML) depending on parameters supplied in the query string to an endpoint.
Is this a good idea for a RESTful service endpoint?
It is also recommended to use the HTTP Accept Header to specify which representation is requested. Have a look at this discussion.
I have clientside user-settings manager. the settings are saved through a webservice. I´m serializing them into json. Since the json can be manipulated before sending, I want to validate it on server then.
What are the best practices, what have i to look for?
Validating before deserialization? What kind of malicious input can the user use? Can he manipulate the json so that it harms me somehow on deserialization using default asp net javascript deserialization?
var userinput = { param1 : "test", categories : ["2312", "4324", "2122"] }
this one is sent to the server, serialized.
Deserialized on server into an object graph.
public class usersettings
public property param1 as string
public property categories as string()
end class
param1 is regex checked, maybe only letters and digits, start with letter, maximum 10 signs, for example.
categories must be distinct, not more than 10...
the usersettingsclass is a linq to sql genereted object, that can be directly pushed to the sqlserver.
this is all a very simple sample. in the userinput can be anything.
Are these settings security sensitive? What happens if the user messes with them?
If the only thing that happens is you can an exception, then don't bother.
If these settings can somehow compromise security, then they shouldn't be client side unless they're encrypted by the server before they're sent down to the client. In other words, they're "on the client" for scalability reasons only, not because they're manipulated in any way by the client.
If these settings are security sensitive, and they must be modifiable by the client, they you have an untenable situation. If javascript can modify them, so can the user.
Lastly, if all your'e worried about is that the client somehow manipulates the json data so that it causes a deserialization exception, you should research if there are any vulnerabilities in your json library. If not, don't worry about it until they're are.
Since you mentioned you're using built-in ASP.NET libraries, I can say that I'm unaware of any known vulernability in these libs.