Security when sending and retrieving data from a URL

3

Hello, I am learning development and I do not know much about security. I'm doing a web application using Nodejs + Expressjs + AngularJs + MongoDB . I did as follows, the MongoDB data is sent to a URL using the Post method, and then I "access" that data with AngularJs and display it on the screen. I wonder how insecure this is. Here is the code:

First I created a Schema from my MongoDB collection:

var mongoose = require('mongoose');
var Schema = mongoose.Schema;

var userSchema = new Schema({
    nome: String,
    idade: Number,
    CPF: String,
    email: String
});

var User = mongoose.model('User' , userSchema );

module.exports = User;

Then I got this Schema in a file and created a URL and sent the data using POST method

var express = require('express');
var router = express.Router();
var mongoose = require('mongoose');
var User = require('../models/users');

//Se aqui for router.get os dados serão exibidos na URL localhost/api/users
//Então usei router.post
router.post('/api/users' , function(req, res, next){
  User.find(function(err, users){
    res.json(users);
 });
});

module.exports = router;

Finally, I got the data from the URL and displayed on the screen with Angular:

app.controller("RBScontroller", function ($scope, $http) {

    $scope.enviar = function enviar(){

        var ApiMongo = 'http://localhost:3000/api/users';
        $scope.users = [];
        $scope.loading = true;      

        $http.post(ApiMongo).success(function(data) {
            console.log(data);
            $scope.users = data;
            $scope.loading = false;             

        }).error(function(msg) {      

            angular.element($(function(){alert("Fail")}));
            $scope.loading = false;
        });
    }   
});

Does this method leave the data exposed in any way? Thanks

    
asked by anonymous 21.10.2015 / 18:11

1 answer

1

The user data is exposed through the concept of API . Express queries the database, in this case the MongoDB through Moongose and returns this through a call REST with Express .

This information can be protected with an authentication, you can choose the type Basic Authentication or oAuth . This protects your information by preventing people without a token from accessing the information. For this you need to create a /api/token if you use an oAuth. And in the case of basic Auth only use http authentication.

The interesting thing about having an API is access by other applications, say for example that in your case you want to develop a native application for mobile and query the user data, just by accessing /api/users . >

TL; DR; Yes, it is exposed and for this you need to implement an Authentication for each data query.

    
19.11.2015 / 18:43