🪴 TJ's Notes 1.0

COMMS Backend

4 min read

No, using this JavaScript file as-is in a frontend environment (e.g., directly in a website’s client-side code) to access the database is not secure. Here’s why and how to approach it securely.

Why It’s Not Secure to Use This File in the Client-Side Code

  1. Exposes Database Credentials: This code includes sensitive database credentials (host, user, password). If you include it in the frontend, anyone can view this information through browser developer tools or by inspecting the network requests. This would allow anyone to connect directly to your database, posing a major security risk.

  2. Direct Database Access from Client: Allowing client-side code to interact directly with a database is unsafe. It exposes your database to unauthorized access, SQL injection attacks, and data manipulation. Typically, a database should only be accessed from a secure server environment.

  3. Uncontrolled Database Operations: Using this approach, any user on the client side could potentially modify data in the database (e.g., adding, updating, or deleting sessions). This would be highly vulnerable to abuse and accidental or intentional data corruption.

How to Use This Code Securely

To use this code securely, run it server-side and communicate with the database through a backend API. Here’s a secure approach:

  1. Move the Code to a Backend Environment:

    • Run this JavaScript code on a backend server, such as Node.js running on Express or a similar framework. This way, the code remains hidden from the client and is executed on the server.

  2. Create a REST API:

    • Set up a REST API that allows the frontend to make requests (e.g., using fetch or Axios) to interact with the database through predefined endpoints. For instance:
      • POST /sessions to create a session
      • GET /sessions/:id to retrieve session details
      • PUT /sessions/:id to update session details
      • DELETE /sessions/:id to delete a session
    • These endpoints control and validate what data the client can send and receive.

  3. Add Authentication and Authorization:

    • Secure your API by implementing authentication (e.g., JWT tokens, OAuth). This ensures that only authenticated users can access the API and make changes to the database.
    • Implement authorization checks (e.g., only admins can update settings or delete sessions).

  4. Sanitize and Validate Input:

    • To protect against SQL injection, validate and sanitize all incoming data. The mysql2/promise library used here provides prepared statements, which help prevent SQL injection by properly escaping input parameters.

  5. Securely Handle Environment Variables:

    • Store sensitive credentials (host, user, password) in environment variables, not hard-coded in the codebase. Use a package like dotenv to load these securely from a .env file.

Example of Moving to a Server-Side REST API

Here’s a basic outline of how you can set up this code in a secure backend API using Express:

  1. Install Dependencies:

    npm install express mysql2 dotenv

  2. Setup Environment Variables in .env:

    DB_HOST=localhost
DB_USER=root
DB_PASSWORD=Tarnished@314
DB_NAME=sessions_db

  3. Create the Backend API (server.js):

    require('dotenv').config();
const express = require('express');
const mysql = require('mysql2/promise');
const SessionId = require('./SessionId'); // Assuming this is your session class file
 
const app = express();
app.use(express.json()); // Parse JSON requests
 
// API endpoint to create a session
app.post('/sessions', async (req, res) => {
    try {
        const { sessionCode, user } = req.body;
        const session = new SessionId(sessionCode, user);
        await session.initDb();
        await session.checkAndCreateSession(user);
        res.status(201).json({ message: 'Session created', sessionId: session.sessionId });
    } catch (error) {
        res.status(500).json({ error: 'Failed to create session' });
    }
});
 
// Add additional endpoints for retrieving, updating, and deleting sessions here...
 
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => console.log(`Server running on port ${PORT}`));

  4. Frontend Code to Interact with API: In your frontend, make requests to this API instead of directly accessing the database.

    async function createSession(sessionCode, user) {
    const response = await fetch('http://localhost:3000/sessions', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json'
        },
        body: JSON.stringify({ sessionCode, user })
    });
    const data = await response.json();
    console.log(data);
}
 
createSession('session123', 'username');

Summary

  • Don’t expose database code or credentials to the frontend.
  • Use a server-side API (e.g., Node.js with Express) to manage database interactions.
  • Implement authentication, validation, and authorization for secure data handling.
  • Store sensitive data (like passwords) in environment variables and never in the frontend code.

This approach ensures your application is secure and the database remains protected.

Graph View

Backlinks

  • No backlinks found