angularjs – Security when sending and retrieving data from a URL

Question:

Hi, I'm learning development and I don't know much about security. I'm making a web application using Nodejs + Expressjs + AngularJs + MongoDB . I did it as follows, MongoDB data is sent to a URL using the Post method, and then I "access" this data with AngularJs and show it on screen. I wonder how unsafe this is. Follow code:

First I created a Schema from my MongoDB collection:

var mongoose = require('mongoose');
var Schema = mongoose.Schema;

var userSchema = new Schema({
    nome: String,
    idade: Number,
    CPF: String,
    email: String
});

var User = mongoose.model('User' , userSchema );

module.exports = User;

Then I took this Schema in a file and created a URL and sent the data using POST method

var express = require('express');
var router = express.Router();
var mongoose = require('mongoose');
var User = require('../models/users');

//Se aqui for router.get os dados serão exibidos na URL localhost/api/users
//Então usei router.post
router.post('/api/users' , function(req, res, next){
  User.find(function(err, users){
    res.json(users);
 });
});

module.exports = router;

Finally, I took the data from the URL and displayed it on the screen with Angular:

app.controller("RBScontroller", function ($scope, $http) {

    $scope.enviar = function enviar(){

        var ApiMongo = 'http://localhost:3000/api/users';
        $scope.users = [];
        $scope.loading = true;      

        $http.post(ApiMongo).success(function(data) {
            console.log(data);
            $scope.users = data;
            $scope.loading = false;             

        }).error(function(msg) {      

            angular.element($(function(){alert("Fail")}));
            $scope.loading = false;
        });
    }   
});

Does this method leave the data exposed in any way? Thanks

Answer:

User data is exposed through the API concept. Express queries the database, in this case MongoDB through Moongose and returns it through a REST call with Express .

This information can be protected with an authentication, whichever you prefer, such as Basic Authentication or oAuth . This protects your information by preventing people without a token from accessing the information. For this you need to create an /api/token if you are going to use an oAuth. And in the case of basic Auth just use http authentication.

The interesting thing about having an API is access by other applications, let's say for example that in your case you want to develop a native application for mobile and query user data, just by accessing /api/users .

TL;DR; Yes, it is exposed and for that you need to implement an Authentication for each data query.

Scroll to Top