Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security? #3

Closed
danesparza opened this issue Jul 4, 2015 · 2 comments
Closed

Security? #3

danesparza opened this issue Jul 4, 2015 · 2 comments

Comments

@danesparza
Copy link

I had considered doing something like this as well -- but stopped when I realized that the RethinkDB is entirely exposed when creating an app like this. I couldn't think of a good way to lock down access to the database from people who wanted to insert / update information to their hearts content.

What are your thoughts on security?
@bkniffler
Copy link

I think this is where @mikemintz other library rethinkdb-websocket-server comes in place, you should maybe look at the example app. As far as I understood, the websocket server forwards requests to RethinkDB, being able to validate posted data (check if userId of document corresponds to the auth tokens userId) and filter get data (filter by userId of documents).

Look at queryWhitelist within rethinkdb-websocket-server. I've found the syntax to be a bit confusing, but the idea of the whole system is fantastic!

options.queryWhitelist = [
  // r.table('turtles').filter({herdId: curHerdId})
  RQ(
    RQ.FILTER(
      RQ.TABLE("turtles"),
      {"herdId": RQ.ref('herdId')}
    )
  ).opt("db", RQ.DB("test"))
  .validate(function(refs, session) {
    return session.curHerdId === refs.herdId;
  }),

  // r.table('turtles').insert({herdId: 'alpha-squadron', name: 'Speedy'})
  RQ(
    RQ.INSERT(
      RQ.TABLE("turtles"),
      {
        "herdId": RQ.ref('herdId'),
        "name": function(actual, refs, session) {
          return typeof actual === 'string' && actual.trim();
        },
      }
    )
  ).opt("db", RQ.DB("test"))
  .validate(function(refs) {
    var herdId = refs.herdId;
    if (typeof herdId !== 'string') return false;
    var validHerdQuery = r.table('herds').get(herdId).ne(null);
    return runQuery(validHerdQuery);
  }),
];

@mikemintz
Copy link
Owner

@bkniffler is exactly right. In production, all incoming queries will validated for security.

From rethinkdb-websocket-server

As you are developing, incoming queries that don't validate against the
whitelist will be logged to console in a format that you can copy and paste
directly into your JavaScript source file. For dynamic queries, you'll likely
want to generalize the pattern using function(actual, refs, session) terms,
RQ.ref() terms, and the .validate() method.

There may be other approaches to securing queries we can look into, as proposed in mikemintz/rethinkdb-websocket-server#1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikemintz @danesparza @bkniffler