Server programming

Notes for a course at Linnaeus University: https://coursepress.lnu.se/kurs/serverbaserad-webbprogrammering/

Introduction

After the course you should be able to:

Describe the task of a web server in different kinds of web applications.
Describe the purpose of the HTTP protocol in different types of web applications and their pros and cons in this context.
Use the Node.js platform and Express.js web application framework to build web applications.
Develope a create, read, update, delete (CRUD) web application using MongoDB to manage data persistence.
Describe and have a practical understanding of different security problems that can occur in web applications.
Create web applications with, for the context, suitable architecture.
Create server-based real-time applications.
Plan and perform the publishing of web applications created for the Node.js platform in the production environment.

The course is divided into three parts

Part 1: Node.js, web servers, HTTP
Part 2: Backend web application, web security, web architecture
Part 3: Real-time application, publishing, and production

Recommended literature:

Chapter 17 and 20 of Eliquent JavaScript
Web Development with Node &Express, Ethan Brown

Node.js, npm
GitHub and GitLab!
Visual Studio Code or other IDE of your choice
Linting, ESLint
JSDoc, Document This

The Node platform

Node.js is not a web server nor a framework.

V8, Google chrome javascript engine, an event loop, and a low-level I/O API (libuv)

Small modules, doing one thing well, is the philosophy.

ECMAScript modules

Single threaded event-driven architecture.

Event-driven programming:

Callbacks
Promises
Async/Await
Event Emitters. Create your own events. Listen for multiple triggers of events

Blocking or CPU-intensive code is not suitable for Node.js.

The cluster module allows easy creation of child processes that all share server ports.

npm install # installs all dependencies in package.json

yarn is an alternative to npm.

npm install mocha --save-dev

https://www.gitignore.io/

Use npx to execute a module (and install it temporarily)

Semantic Versioning (semver) major.minor.patch. Use * for latest.

The package-lock.json file describes the dependency tree and should be committed.

Web servers

Different server services conventionally use certain ports.

Web servers are software that handles and understands HTTP/HTTPS request/response. Listen default on port 80 (HTTP) or port 443 (HTTPS)

Apache. The A in LAMP-stack (Linux, Apache, MySQL, PHP)
Nginx. Uses an asynchronous event-driven approach to handling requests
IIS for Windows server (Internet Information Services). .NET
Apache Tomcat. A Java servlet, HTTP Connector, JSP engine. A Java servlet is a Java program that extends the capabilities of a server.
Node.js. A platform! Create a web server through code (APIs)!

Apache:

Most used web server.
Open source.
Launched in 1995.
Every request spawns a process stored in a thread pool.
Dynamic Modules: mod_access, mod_auth, mod_rewrite
.htaccess

Nginx is a lightweight server commonly used as proxy or load balancer.



 const http = require('http');

 const PORT = 8080;

 

  http.createServer((req, res) => {

   res.writeHead(200);

   res.end('Hello world\n');

 }).listen(PORT);

Different kind of servers in a web environment

Reverse proxy. Acts as a firewall and hides the origin.
Load balancer. Spread requests to several servers.
Cache server
Application server. Not limited to HTTP.
Virtual hosting. Multiple domain names.

Domain name servers (DNS) translate domain names to IPs like 194.47.110.87 and 2001:6b0:52:4000::5:5

The browser sends a TCP/IP packet, the server sends back a reply for example on port 62365.

HTTP

Stateless, securityless.

Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C)

HTTP messages have headers.

GET Get data; search result safe, idempotent
POST Create data unsafe, not idempotent
PUT Update data unsafe, idempotent
PATCH Partial update of resource unsafe, not idempotent
DELETE Delete a resource unsafe, idempotent
HEAD Just get headers safe, idempotent
OPTIONS Check what the server can do safe, idempotent

Status codes:

1xx - Informational. 101 Switching Protocols
2xx - Successful. 200 OK, 201 Created, 204 No Content
3xx - Redirection. 302 Found (follow "Location"), 304 Not Modified
4xx - Client Error. 400 Bad request, 401 Unauthorized, 403 Forbidden
5xx - Server Error. 500 Internal Server Error

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

Status code cats.

The server should use gzip on text files > 1-2 Kb

Do not trust client ID, nor server ID, neither a human. Filter out crawlers in logs.

Set-Cookie: PHPSESSID=1p0sptqdupf47lefnti1j1fg40 Path=/admin

expires:Wed, 30 Jan 2019 14:00:00 GMT
cache-control: public, max-age=86400
cache-control: private, max-age=0, no-cache
ETag

HTTP/2

Multiplexing - one single TCP connection for many request
Server push (not as in Web Sockets)
Data Compression of HTTP Headers
Binary data streams
Priority flags

Web Architecture



 const http = require('http')

 

 const server = http.createServer((req, res) => {

   res.setHeader('Content-Type', 'text/plain')

   res.end('hello, world\n')

 })

 

 server.listen(8000, () => console.log('Server running at http://localhost:8000/'))



 http.createServer((req, res) => {

   const path = req.url.replace(/\/?(?:\?.*)?$/, '').toLowerCase()

 

   switch (path) {

     case '':

       res.setHeader('Content-Type', 'text/plain')

       res.end('Homepage')

       break

 

     case '/about':

       res.setHeader('Content-Type', 'text/plain')

       res.end('About')

       break

 

     default:

       res.setHeader('Content-Type', 'text/plain')

       res.statusCode = 404

       res.end('Not Found')

       break

   }

 }).listen(8000, () => console.log('Server running at http://localhost:8000/'))

MEAN full stack JavaScript: MongoDB, Express, Angular, Node.js

Handlebars view engine.

Backend frameworks:

Express, https://expressjs.com/
Meteor, https://www.meteor.com/
Sails (built on Express), https://sailsjs.com/
Feathers (built on Express), https://feathersjs.com/
Fastify, https://www.fastify.io

Express is inspired by Sinatra, a web application framework in Ruby, and intertwined with Connect, a pluggable Node module that can handle web requests (a.k.a. "middleware")



 const express = require('express')

 const app = express()

 

 app.get('/', (req, res) => res.send('Homepage'))

 app.get('/about', (req, res) => res.send('About'))

 

 app.listen(8000, () => console.log('Server running at http://localhost:8000/'))

The directory structure can be

app.js is the applications entry point.
Routes are stored in separate modules under the routes/ directory.
Controllers are stored under the controllers/ directory.
View templates are stored under the views/ directory.
Static files are stored under the public/ directory.

or something else.

express-hbs: Express handlebars template engine.
moment: Manage dates.
morgan: HTTP request logger.
nodemon: Automatically restarts the application when file changes.

Middleware functions are functions that have access to the request object (req), the response object (res), and the next middleware function in the application’s request-response cycle.

Application-level: app.use() and app.METHOD(), (req, res, next)).
Router-level: same as application-level (use express.Router()).
Error-handling: an error-handling middleware function has four parameters, (err, req, res, next)).
Built-in: express.static, express.urlencoded
Third-party: Add functionality.

router.get and router.post and app.use('/home', require('./routes/homeRouter'))

Controller functions render an HTML page using a template engine, res.render(view [, locals]) renders a view and sends the HTML string to the client.

Template engines: Pug, Mustache, EJS and express-hbs

Persistent data

MongoDB and Mongoose. Web sessions and flash messages.

Create, read, update and delete (CRUD) are the four basic function of persistent storage.

How to store application data at the server side?

Data stored in the memory is non-persistent (data is erased when the power is turned off).
Filesystem persistence? Hard to work with, performance, doesn't scale well.
Database persistence? Oracle, SQL Server, MySQL, MariaDB, PostgreSQL, MongoDB
Cloud persistence? mongodb.com (DBaaS, Database-as-a-Service), AWS, Azure, Google Cloud

Relational database management systems (RDBMS) organizes data into tables with columns and rows with Structured Query Language (SQL).

NoSQL databases like MongoDB and Firebase are like big maps where incomplete documents can be easily stored and extended during development without time consuming database migrations.

MongoDB is open-source and derives from the word humongous. Stores JSON-like documents.

The mongoose.connect method returns a Promise, mongodb+srv://:@.mongodb.net/?retryWrites=true&w=majority, listen for connection events: connected, error, disconnected.

Close the Mongoose connection when the Node process ends.



 const shoeSchema = new mongoose.Schema({

   name: { type: String, required: true},

   size: { type: Number, required: true, min: 15, max: 47 }

 })

The lowercase name of the collection will automatically be the plural version of the model's name. const Shoe = new mongoose.model('Shoe', shoeSchema) const myShoe = new Shoe();

The module (Task.js) resides in the models directory.

/tasks
/tasks/:id
/tasks/new
/tasks/create
/tasks/:id/edit
/tasks/:id/update
/tasks/:id/remove
/tasks/:id/delete



 router.get('/:id/edit', tasksController.edit)

 router.post'/:id/update', tasksController.update)

The captured values are populated in the req.params object, with the name of the route parameter specified in the path as their respective keys.



 const task = new Task({

   description: req.body.description,

   done: req.body.done

 })

 await task.save()

Use Task.find, and pass an empty object, to find all documents in a collection. It's good practice to transform the documents into anonymous objects before passing the data to the view.

Use Task.updateOne (deleteOne) with { _id: req.body.id } to update a document in the database.

A session cookie keeps users logged in.

Secure JSON Web Token

Redis is an in-memory database alternative to MongoDB.

The default server-side session storage MemoryStorage is not for production.

Session variables are just properties of the request object's session property: req.session.name = 'Ada'

To avoid "double posting" if a form page is refreshed return a redirect command instead of a view directly, the Post/Redirect/Get (PRG) pattern.

Whenever you redirect someone on your website it is a good idea to use a flash message to let them know that what they just did worked or not. The flash message should survive only a round trip. Use a session variable to save the message and delete the message on the next request.

req.session.flash = { type: 'success', text: 'The requested action was completed.' }

Access Control

Authentication and authorization.

Use cookie session id (stored on server), JWT (not stored) or a third-party like OpenId Connect or SAML.

If authorization fails 403 is the default status code however for security one can reply with 404 (or 418) to hide the fact that the server has the requested resource.

Passwords should be stored in an hashed format using strong cryptographic algorithms (Argon2, bcrypt, scrypt). Prevent rainbow table attacks with salt.

It is not sufficient to simply hide the delete button at the client from a user that are not allowed to delete something at the server. It is safer to prevent access by default and override any requests that do not require permission.

Salt and hash password using bcryptjs.

Applying the principle of separation of concerns is a good idea by adding static methods to the Mongoose schema to register users.



 const userSchema = new mongoose.Schema({

   username: {

     type: String,

     required: true,

     unique: true

   },

   password: {

     type: String,

     required: true,

     minlength: [10, 'The password must contain 10 characters.']

   }

 }, {

   timestamps: true,

   versionKey: false

 })

Using a pre hook you can execute code after the validation and before the data is written to the database. You must call .pre before compiling the model: userSchema.pre('save', async function () { this.password = await bcrypt.hash(this.password, 8) }) 8 is the cost: 2^8 iterations of the key derivation function are used (some recommend a cost of 12 or more).

The user submits a login form and the credentials are compared with the data in the database.
Create a new session cookie, store user data in session store, and redirect.
If the authentication fails show a custom flash error message or send the status code 401 Unauthorized.
Applying the principle of separation of concerns is a good idea by adding static methods to the Mongoose schema to authenticate users.
Do not forget to give the user a possibility to log off!



 userSchema.statics.authenticate = async function (username, password) {

   const user = await this.findOne({ username })

   if (!user || !(await bcrypt.compare(password, user.password))) {

     throw new Error('Invalid login attempt.')

   }

   return user

 }

When defining a route you can provide multiple callbacks. You can use this mechanism to authorize the requested resource.

Web Security

OWASP (WSTG)
XSS, CSRF, Injection
TLS Certificates
Denial of Service (DOS, DDOS)

The application must always assume that all input is potentially malicious

Open Web Application Security Project

Web Security Testing Guide (WSTG)

XSS, Cross-Site Scripting. The attacker get the application to send unsanitized data (code) to client. Attackers can execute script on client to: Steal cookies (Session hijacking) and do key logging or phishing (Fake login)

Always validate/sanitize user submitted text, FIEO (filter input, escape output), encode characters like < and > etc.

https://github.com/YahooArchive/xss-filters

Content Security Policy (CSP)

Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!

CSRF, Cross-Site Request Forgery (pronounced sea-surf). Forces a client to make an unwanted request to a web application in which the user currently is authenticated.

Protect with Synchronized Token pattern (STP)

Check that the request is made by our client
Include a token in forms (and/or in meta tag)
Must be unique for each request



 <form action="/account" method="post">

   <input type="hidden" name="_csrf" value="HvtsC1Ka-yq1Q2KPAu_Yh_H8F4vJEYfMIlBQ" />

 </form>

https://github.com/expressjs/csurf

Same-site cookie (new)

Injections: Manipulate the query to the database through HTTP requests

Handle all input as strings

Third party modules can be security issues, npm audit scans for vulnerabilities and automatically runs with npm install. Snyk.io has more features.

TLS(SSL) + HTTP = HTTPS. Always use HTTPS in production.

https://letsencrypt.org/

In development we can create our own self-signed certificate

Domain Validation (DV), Organization Validation (OV), Extended Validation (EV)

Asymmetric (public-key encryption)

A public key is used to encrypt a messages
A private key is used to decrypt the message
The part that only have the public key can only encrypt the message
Only the part with the private key can decrypt

A good article about different types of XSS attacks

OWASP, The Open Web Application Security Project, produces (every three year) a report presenting the 10 most common attacks against web application. This is a must read for every web developer. You should read the report to point A10 (page 16).

Real-time

Hard – missing a deadline is a total system failure.
Firm – infrequent deadline misses are tolerable, but may degrade the system's quality of service. The usefulness of a result is zero after its deadline.
Soft – the usefulness of a result degrades after its deadline, thereby degrading the system's quality of service.

Web of things: Devices communicating in realtime

Examination 3: Create an application that checks issues in your repository. Fetch issue with Web API, monitor events with web hooks. OAuth.

"Flash Player has been deprecated and has an official end-of-life at the end of 2020"

Comet (umbrella term): Persistent HTTP connections, Domain sharding, Long-lived hidden iframe, XHR long polling, XHR streaming.

Server-sent events: Not implemented by microsoft.

Go WebSockets!

Long polling is mostly only for compatibility with old browsers.

Websockets connect on HTTP(S), Upgrade to ws:// or wss://

Use Content Security Policy

Challenges with web sockets:

Browser support, fallback strategies.
Concurrency, synchronization, fault tolerance.
Offline, Queue-strategies

P2P (peer to peer): http://www.html5rocks.com/en/tutorials/webrtc/basics/

Web hooks, server to server: tell me when event A happens.

Real time fundamentals blog series.

Production

Bringing your node.js web application to production

Bringing your work to the people

https://github.com/CS-LNU-Learning-Objects/linux

Process manager PM2



  #!/bin/bash

 

 echo "Generating self-signed certificates..."

 mkdir -p ./config/sslcerts

 openssl genrsa -out ./config/sslcerts/key.pem 4096

 openssl req -new -key ./config/sslcerts/key.pem -out ./config/sslcerts/csr.pem

 openssl x509 -req -days 365 -in ./config/sslcerts/csr.pem -signkey ./config/sslcerts/key.pem -out ./config/sslcerts/cert.pem

 rm ./config/sslcerts/csr.pem

 chmod 600 ./config/sslcerts/key.pem ./config/sslcerts/cert.pem

How To Set Up Automatic Deployment with Git with a VPS

Next page.

Updated on 2020-08-07.