So I've seen this answer Using NodeJs with Firebase - Security that talks about syncing NodeJS with the Firebase data structure.
I don't use NodeJS (being a Railo/Coldfusion developer) and was wondering if something like this is possible outside of NodeJS? Through java or maybe just using REST endpoints. Or do I have to use the original solution in the above link of separately updating the data in my webserver.
Another way of wording it is; can I make a round trip from firebase to an HTTP server that isn't nodeJS?
EDIT: To clarify, exactly what I wanted to do was have a email webservice post to the REST API of Firebase, then firebase post that to an URL on my external railo server as my users need to know when the email arrives but the server just needs to make sure it stores it.
As I understand it my best bet is to get the email webservice to post to the URL on my railo server which then posts to the REST API on firebase.
Yes you can.
Firebase does not have a Coldfusion client library, so you need to use the REST APIs. You can use the REST API to read / write Firebase data from your server code.
The one thing you'll be missing is the notifications when data changes. With the node.js client, you can subscribe for updates to data but there's no way to do that from a REST API.
So if you need to know when Firebase data changes, and you're using REST, you'll have to poll the data periodically.
(Note: This is mostly copied #Michael's answer in the comments)
Related
I am trying to send HTTPS Post Request from GCP to Segment.io
I want to create a service that will read data from BigQuery table and then send calls directly to Segment.io API (link) from where I'll redirect the data to other destinations, but on the GCP site I'm struggling to find the most optimal way to do it. Cloud Run seems like a good option but I'm wondering if there might be an easier way?
The recommended products to be used for this task can be either Cloud Run or Cloud Functions.
You can either use the Client Libraries or API in order to extract the data from the BigQuery table and use any HTTP request library of your favorite programming language to issue the POST request to the Segment.io API.
I am new to eJabberd, after setting up the server and be able to send messages between users I want to be able to create rooms from our backend server (not from our clients).
I read this article:
https://docs.ejabberd.im/developer/ejabberd-api/oauth/
But I did not understand how can I use the api from our server side (for example, to automatically create rooms for our users), how can I obtain a token for the server to use the API?
Thanks.
You should consider using mod_rest - http interface to post data to ejabberd. You can read more about configuration & examples here.
Do consider adding some restrictions so that only your server can use the http interface.
I have a web-service which is used to create entries in the Database hosted by GoDaddy and the web-service are written in .net and this web-service or url will be only used in the Mobile Platforms like IOS and Android.
Now I have few questions?
1>How can I secure my URL(web-service) and its content from getting exposed?
Currently I have used post method so that I can hide the parameters but still I fear the URL might be hacked so please suggest a way to secure.
2>Regarding the contents I want to encrypt the data and send to server and in server side it will be decrypted .
Now please suggest me an algorithm or code which can be used across platform like IOS,Android , .Net
Thanks and Regards,
Anil
Use HTTPS
Use login/password auth (no access at all without login and
password)
This is a similar situation to the one raised in this question:
Javascript Calling a Rest API with App Name and App Password - How Can i Secure it
Here is the architecture overview:
The site is Html5/jquerymobile
It contacts what I call a "Wrapper" service.... This is a REST API I wrote in C#, to contact another 3rd party REST API. I do this because there are credentials in the Header and the API uses Basic Authentication. Credentials are therefore not publicized as they are only known server-side.
My "Wrapper" service does not currently implement any additional security. It is currently accessible from anywhere. The easiest and quickest way to lock it down is to restrict by IP, so no other IP anywhere except the server can actually contact my wrapper service.
The questions:
Is the locking by IP the only way to ensure that the API won't get hammered if it was otherwise accessible from anywhere?
If I convert this using Phonegap (which I have... and deployed successfully on Android), obviously the native app won't work if the web service is restricted.
Is there a way around this so I can allow traffic only from the mobile app, and not from any other source? I'm thinking along the lines of MD5 hash or something that could be sent to the wrapper API.. but unfortunately I'm thinking that info can easily be "sniffed".
Is my only viable option here to release the app as a web app, forcing browser use, thereby removing any concerns about allowing my web service to be hammered??
I believe the answer to this is a combination of a user token and encrypting the message through SSL.
The server can issue a valid user a token so we can identify him in future requests.
Encrypting it via SSL will ensure that this token cannot be sniffed.
https://security.stackexchange.com/questions/12531/ssl-with-get-and-post
We currently have a SOAP based web service that our in house applications use to authenticate users. Basically, they send a SOAP request with the username and password. The web service authenticates their credentials against our data store and returns user information if the authentication is successful. The web service is secured using BASIC authentication and SSL.
We need to make modifications to this web service and I was considering re-writing it as a REST service. The REST services I have created in the past have been fairly simple and had no need for security. I have never created a REST service that used sensitive information, so I have a couple of questions / concerns:
First, is there a best practice for sending sensitive query parameters (user credentials) to a REST service securely? I can still use the BASIC authentication and SSL.
Second, if I send a query to a REST service using POST, is it still considered RESTful, or is GET required for REST queries?
You can use SSL and Basic authentication with REST web services as well.
HTTP GET is usually used for data retrieval (queries) but you can use HTTP POST as well. GET is especially useful if you can use any type of HTTP caching. POST is usefull if you need to transfer a lot of data to define your query or if your web service operation expects some complex data format instead of simple arguments.
Instead of doing the authentication via REST, you might also consider a networked authentication protocol to use in conjunction with web services. Technologies like Kerberos and OAuth were designed for these sorts of use cases.
To answer your questions, however:
REST encourages you to leverage HTTP and related protocols, so using SSL and BASIC authentication is quite appropriate.
REST encourages the use of not just GET and POST, but even other HTTP "verbs" such as PUT and DELETE. Use GET only for idempotent operations with no side-effects.
Going from SOAP to REST is taking a step backward as far as security goes.
As far as best practices:
Don't roll your own security. Use a framework or existing library that has been peer-reviewed and tested.
Don't pass unencrypted static keys. If you're using HTTP Basic and sending it across the wire, encrypt it.
Ideally, use hash-based message authentication code (HMAC) because it's the most secure.
Why REST security doesn't exist