web_framework.md

+++ description = "REST, Express.js, Authentication, security, deployment" title = "Web Framework" draft = false weight = 300 bref="A web framework is a software framework that is designed to support the development of web applications including web services, web resources, and web APIs" toc = true script = 'animation' +++

REST

Representational State Transfer (REST) is a software architectural style that defines a set of constraints for creating web services over HTTP.

6 guiding constraints

• Client–server architecture - a distributed application structure that partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients.
• Statelessness - Each request from any client contains all the information necessary to service the request, and session state is held in the client (not the server).
• Cacheability - Responses must, implicitly or explicitly, define themselves as cacheable or not to prevent clients from getting stale or inappropriate data in response to further requests.
• Layered system - A client cannot ordinarily tell whether it is connected directly to the end server, or to an intermediary along the way.
• Code on demand (optional) - Servers can temporarily extend or customize the functionality of a client by transferring executable code such as JavaScript client side scripts.
• Uniform interface - Constraints that decouple the client interface from the server implementation. These include how to identify resources, describe metadata, and represent data. See HTTP protocol for a better understanding of the constraints needed.

Other methods

GraphQL - an open-source data query and manipulation language for developing flexible APIs. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server, therefore preventing excessively large amounts of data from being returned, but this has implications for how effective web caching of query results can be. The flexibility and richness of the query language also adds complexity that may not be worthwhile for simple APIs.

Websockets - a computer communications protocol facilitating real-time data transfer between client and server. The protocol is located at the application layer of the TCP/IP model and depend on TCP at layer 4. The WebSocket handshake uses the HTTP Upgrade header to change from the HTTP protocol to the WebSocket protocol (also compatible with HTTP). This allows messages to be passed back and forth while keeping the connection open. The communications are done over TCP port number 80 (or 443 in the case of TLS-encrypted connections).

↑ Top

Express.js

An open-source web application framework using Node.js designed for building web applications and APIs.

Routing

Routing refers to determining how an application responds to a client request to a particular endpoint, which is a URI (or path) and a specific HTTP request method (GET, POST, and so on). Express is configured to handle routes and HTTP verb with app.METHOD(PATH, HANDLER).

Static files

To serve static files such as images, CSS files, and JavaScript files, use the express.static built-in middleware function. Express also supports templating. A template engine enables you to use static template files in your application. At runtime, the template engine replaces variables in a template file with actual values, and transforms the template into an HTML file sent to the client. Pug, Handlebars, Jade are different template engines you can choose, each with their own syntax.

Middleware

Middleware functions are functions that have access to the request object (req), the response object (res), and the next middleware function in the application’s request-response cycle.

↑ Top

Authentication

Hashing and salting

Hashing performs a one-way transformation on a password, turning the password into another string, called the hashed password. Salting is adding random data as an additional input to the hash function. Authentication then relies on comparing the salt + hash of the original password. This protects commonly used passwords or users who use the same password on several sites, by making all salted hash instances for the same password different from each other.

Preventing reverse engineering via brute forcing the hash algorithm

Cookies vs tokens

Cookie-based authentication is stateful. This means that an authentication record or session must be kept both server and client-side. Token-based authentication is stateless. The server does not keep a record of which users are logged in or which tokens have been issued. Instead, every request to the server is accompanied by a signed token which the server uses to verify the authenticity of the request. Today, most authentication has moved from cookie-based to token-based.

Authentication libraries

Passport - authentication middleware for Node that provides "strategies" for handling all types of authentication mechanisms. JWT (JSON web tokens) and OAuth (login with Facebook/Google account) are the most common.

Third party - Ideally, you don't want to be handling sensitive data that can be hacked. Allowing a 3rd party to handle validation is best practice. AWS Cognito and Auth0 are two of the more popular authentication providers.

↑ Top

Deployment

Heroku

The easiest way to deploy Express apps is through Heroku, a cloud platform as a service supporting Node.js and many other languages. A platform-based service is a category of cloud computing services that provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app.

Once the Heroku CLI is installed, deployment is a simple heroku create command and Heroku will handle dependencies, installation, runtime environment, and all other deployment tasks. The Heroku Platform uses the container model to run and scale all Heroku apps.

AWS

AWS provides a similar service to Heroku called Elastic Beanstalk. They also provide virtual machines called EC2 instances. Deploying an app in this manner is a little more cumbersome.

1. Create EC2 instance
2. Access EC2 instance through SSH (using PEM/PPK file)
3. Download and Install node on the instance
4. Clone repository (from version control like GitHub)
5. Install app dependencies
6. Run the app in the node runtime
7. Expose ports on the instance for public access

Choose AWS when you need infrastructure flexibility and understand DevOps. It is also the cheaper option as the app grows in complexity and use. Choose Heroku for smaller projects or when you don't want to deal with DevOps.

↑ Top

Security

Dependencies

Don’t use deprecated or vulnerable versions of your dependencies. Use npm audit fix to scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies. Alternatively, use Snyk.io.

SSL/TLS Certificate

In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) to encrypt data before it is sent from the client to the server, thus preventing some common hacks (Man in the middle). HTTPS is based on public/private-key cryptography. This means that there is a key pair: The public key is used for encryption and the secret private key is required for decryption. A website certificate is a public key with a label identifying the owner. when your browser connects to an HTTPS server, the server will answer with its certificate. The browser checks if the certificate is valid and signed by a trusted certification authority. After the verification, the browser extracts the public key and uses it to encrypt information it sends back to the server. The server can decrypt it because the server has the matching private key.

Set security related HTTP headers

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy. These have to be set explicitly on the header.

There are many other security related headers. Use a middleware function like Helmet to set these for you.

Learn common vulnerabilities

• Cross-site scripting (XSS) - enables attackers to inject client-side scripts into web pages viewed by other users.
• SQL injection - nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)
• Cross-Site Request Forgery (CSRF) - unauthorized commands are transmitted from a user that the web application trusts.
• Distributed Denial-of-service attack (DDoS) - flooding the server or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

Secure development environments as well

• Successful key management - involves dealing with the generation, exchange, storage, use, destruction and replacement of keys. It is the more challenging side of cryptography as it involves aspects of social engineering, system policy, user training, organizational and departmental interactions, and coordination between all of these elements.
• Principle of least privilege - Every process, user, or program must be able to access only the information and resources that are necessary for its legitimate purpose and nothing more. This especially applies in teams of developers.
• Use VPN - encrypt data if using unsecured or untrustworthy networks vulnerable to packet sniffing and man-in-the-middle attacks.
• Monitor system - Check open ports and unrecognized running processes

↑ Top