Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Has anyone solved RemoteDB security problems? #51

Closed
tahooki opened this issue Jun 21, 2018 · 3 comments
Closed

Has anyone solved RemoteDB security problems? #51

tahooki opened this issue Jun 21, 2018 · 3 comments

Comments

@tahooki
Copy link

tahooki commented Jun 21, 2018

I want to use Minimongo.

Exposing remoteURL and connectionID on the client seems to be a security problem.

So it's hard to use it as a security issue.

Has anyone solved RemoteDB security problems?

I want you to let me know if you have a good idea ...
@lopugit
Copy link

lopugit commented Apr 23, 2019

The only way is to rethink the way you do data storage using encryption and permission Middleware

@yanickrochon
Copy link

Or you can provide your own httpClient passing CORS options like credentials: 'include', then implement session-based HTTP proxy to your database.

@FROGGS
Copy link

FROGGS commented Jul 13, 2022

This entire project is client side code. You cannot trust anything happening here, so this is not just about exposing an url or connection id. (I wonder how you do want to hide anything browser related to a user)

What I did is implement proper security (authentication via JWT basically and authorisation on collections and their methods) on the server side. That is the service hosting the API minimongo is talking to.

Then, because I'm using Angular, I hat to write a tiny wrapper so minimongo is using my httpClient, which is configured to send cookies to the api-server.

My client sode code looks somewhat like this, though I additionally have an interceptor that sets the withCredentials options for every outgoing http request to my backends.

import * as minimongo from 'minimongo';

// This is just a loggin helper to get started.
const log = (name: string) => ((...args: any[]) => console.log(name, args));

// Setup local, remote and hybrid database
const IndexedDb = new minimongo.IndexedDb({}, log('IndexedDb success'), log('IndexedDb error'));
const RemoteDb  = new minimongo.RemoteDb('https://url.to.my.backend/api/');
const HybridDb  = new minimongo.HybridDb(IndexedDb, RemoteDb);

// My data service
@Injectable({
  providedIn: 'root'
})
export class FoobarDataService {
  constructor(
    private http: HttpClient,
  ) {
    // Mimic the interface that minimongo expects.
    const httpClient = (method: string, url: string, params: any, body: any, success: () => any, error: () => any) => {
      this.http.request(method, url, { body: body, params: params }).subscribe(success, error);
    };
    RemoteDb.httpClient = httpClient;
    IndexedDb.addCollection('foobar', log('IndexedDb.addCollection success'), log('IndexedDb.addCollection error'));
    RemoteDb.addCollection('foobar', {}, log('RemoteDb.addCollection success'), log('RemoteDb.addCollection error'));
    HybridDb.addCollection('foobar', log('HybridDb.addCollection success'), log('HybridDb.addCollection error'));
  }
}

@tahooki tahooki closed this as completed Dec 19, 2023
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yanickrochon @FROGGS @lopugit @tahooki