mWater/minimongo

Has anyone solved RemoteDB security problems?

Closed this issue · 3 comments

tahooki commented

I want to use Minimongo.

Exposing remoteURL and connectionID on the client seems to be a security problem.

So it's hard to use it as a security issue.

Has anyone solved RemoteDB security problems?

I want you to let me know if you have a good idea ...

lopugit commented

The only way is to rethink the way you do data storage using encryption and permission Middleware

yanickrochon commented

Or you can provide your own httpClient passing CORS options like credentials: 'include', then implement session-based HTTP proxy to your database.

FROGGS commented

This entire project is client side code. You cannot trust anything happening here, so this is not just about exposing an url or connection id. (I wonder how you do want to hide anything browser related to a user)

What I did is implement proper security (authentication via JWT basically and authorisation on collections and their methods) on the server side. That is the service hosting the API minimongo is talking to.

Then, because I'm using Angular, I hat to write a tiny wrapper so minimongo is using my httpClient, which is configured to send cookies to the api-server.

My client sode code looks somewhat like this, though I additionally have an interceptor that sets the withCredentials options for every outgoing http request to my backends.

import * as minimongo from 'minimongo';

// This is just a loggin helper to get started.
const log = (name: string) => ((...args: any[]) => console.log(name, args));

// Setup local, remote and hybrid database
const IndexedDb = new minimongo.IndexedDb({}, log('IndexedDb success'), log('IndexedDb error'));
const RemoteDb  = new minimongo.RemoteDb('https://url.to.my.backend/api/');
const HybridDb  = new minimongo.HybridDb(IndexedDb, RemoteDb);

// My data service
@Injectable({
  providedIn: 'root'
})
export class FoobarDataService {
  constructor(
    private http: HttpClient,
  ) {
    // Mimic the interface that minimongo expects.
    const httpClient = (method: string, url: string, params: any, body: any, success: () => any, error: () => any) => {
      this.http.request(method, url, { body: body, params: params }).subscribe(success, error);
    };
    RemoteDb.httpClient = httpClient;
    IndexedDb.addCollection('foobar', log('IndexedDb.addCollection success'), log('IndexedDb.addCollection error'));
    RemoteDb.addCollection('foobar', {}, log('RemoteDb.addCollection success'), log('RemoteDb.addCollection error'));
    HybridDb.addCollection('foobar', log('HybridDb.addCollection success'), log('HybridDb.addCollection error'));
  }
}