Security when sending and taking data from a URL

Asked

Viewed 416 times

3

Hello, I’m learning development and I don’t know much about security. I’m making a web application using Nodejs + Expressjs + AngularJs + MongoDB. I did it this way, Mongodb data is sent to a URL using the method Post , and then I "access" this data with Angularjs and show it on the screen. I would like to know how unsafe this is. Follows code:

First I created a Schema from my Mongodb collection:

var mongoose = require('mongoose');
var Schema = mongoose.Schema;

var userSchema = new Schema({
    nome: String,
    idade: Number,
    CPF: String,
    email: String
});

var User = mongoose.model('User' , userSchema );

module.exports = User;

Then I took this Schema in a file and created a URL and sent the data using method POST

var express = require('express');
var router = express.Router();
var mongoose = require('mongoose');
var User = require('../models/users');

//Se aqui for router.get os dados serão exibidos na URL localhost/api/users
//Então usei router.post
router.post('/api/users' , function(req, res, next){
  User.find(function(err, users){
    res.json(users);
 });
});

module.exports = router;

Finally, I took the URL data and displayed it on the screen with Angular:

app.controller("RBScontroller", function ($scope, $http) {

    $scope.enviar = function enviar(){

        var ApiMongo = 'http://localhost:3000/api/users';
        $scope.users = [];
        $scope.loading = true;      

        $http.post(ApiMongo).success(function(data) {
            console.log(data);
            $scope.users = data;
            $scope.loading = false;             

        }).error(function(msg) {      

            angular.element($(function(){alert("Fail")}));
            $scope.loading = false;
        });
    }   
});

Does this method leave the data exposed in any way? Thank you

angularjs node.js mongodb express

1 answer

1


User data is exposed through the concept of API. Express queries the database, in this case the MongoDB through the Moongose and returns this via a call REST with the Express.

This information can be protected with an authentication, may be the one you prefer, type Basic Authentication or oAuth. This protects your information by preventing people without a token from accessing the information. To do this you need to create a /api/token if using an oAuth. And in the case of basic Auth only use the authentication http.

The interesting thing about having an API is access by other applications, say for example that in your case you want to develop a native application for mobile and query the user data, just by accessing the /api/users.

TL;DR; Yes, it is exposed and for that you need to implement an Authentication for each query to the data.

Browser other questions tagged angularjs node.js mongodb express

You are not signed in. Login or sign up in order to post.