I'm using NextJS to build our Frontend.
The NextJS API just provides basic checks and then redirects to proper micro-services.
But I'm struggling to find the proper approach.
Since we are using Next 12 I think next.config rewrites is a nice fit, but I need to augment the req with an Authorization header before the rewrites.
Is that even possible?
Or perhaps there's a better solution for this case that I think is a fairly common scenario having a middle-end redirect to proper API.
Related
My team is going to refactor our gin http server to support routing by domain. For example, the old url for login is https://www.example.com/login, and the new url will be https://login.example.com/. I was going to rewrite http requests and forward them to the old /login group so that all the validations and middlewares, which are very complicate and messy, could be apply to the new style.
Seems like there is no examples in the document.
I'd second the suggestion to use a reverse proxy (e.g. nginx, Caddy, etc) in front of your services to do the routing.
I can also understand if you would like to have a little bit more control over the routing, you can use middlewares. The gin engine supports the use of middleware functions via routerInstance.Use(middlewareFunc).
A middleware is simply a function that returns gin.HandlerFunc. I found this set of examples on the Web: https://sosedoff.com/2014/12/21/gin-middleware.html
So I've done quite a bit of reading on stackoverflow and found a lot of question about how to do cross domain calls with either ajax post or jsonp. I know how to do that in both ways but let's do a reality check:
AJAX Post, if I use phonegap to compile the package, cross domain call is automatically availability . Or iframe wrapper etc can be used to hack around the security constraint.
use JSONP format, it's HTTP GET but I get cross domain capability for free as that's what JSONP is for. The data to be posted will be passed as a parameter value instead of being a payload as in an HTTP POST request.
Now my question is that is there a best practice/preferred way among the two? Pros and Cons?
Personally I don't see a practical difference between two. i.e. in a non-encrypted request, both POST or GET expose everything in clear text anyway, so they are just same piece of text arranged in different formats. My main concerns are around extension to make the connection secure and spam proof but there could be other stuffs that I probably should be mindful about as well - educate me please! E.g. easeness to add HTTPS over SSL or if I want to restrict who can send request to my server. I'm new to web technology (i.e. defined standards, protocols, frameworks) but am reasonably experienced on general development/computer science topics.
I have recently been experimenting with building a cross domain web api, and wow has it been a bumpy journey. I have not had any problems with modern browsers such as Chrome, FF and Safari. The problem is with IE, which requires you to use XDR as opposed $.ajax when making cross domain calls. First Question: If I was using Backbone.js, what is the recommended way of making cross browser and cross domain ajax calls?
Another problem I had with IE was that when you make cross domain ajax requests, IE has a bunch of restrictions and limitations such as "Only text/plain is supported for the request's Content-Type header" - a link. Therefore in my case, I was unable to bind to my model using the MVC C# framework, unless I bind it manually.
Anyway my second and last question is: How do companies like Instagram, Facebook, and Twitter go about building their API's? I am not looking for a complete guide, but just want to know how difficult it is.
JSONP
The current standard is using JSONP. It is basically a trick to send a JSON payload wrapped in a single JavaScript function, the browser treats it like a script file and executes it.
CORS
Moving forward the way to go is CORS. Sadly browser support (IE) isn't there yet and there are still some implementation differences between the modern browsers that do implement it.
HTTP Method Overloading
Some APIs overload GET and POST request using X-HTTP-Method-Override: PUT or ?_method=PUT.
easyXDM
A number of API providers implement easyXDM. This tends to be used more when they provide a JavaScript API or widget API where developers load their JS and integrate it directly in to the frontend code.
I've created a RESTful API that supports GET/POST/PUT/DELETE requests. Now I want my API to have a Javascript client library, and I thought to use JSONP to bypass the cross-domain policy. That works, but of course only for GET requests.
So I started thinking how to implement such a thing and at the same time trying to make it painless to use.
I thought to edit my API implementation and check every HTTP request. If it's a JSONP requests (it has a "callback" parameter in the querystring) I force every API method to be executed by a GET request, even if it should be called by other methods like POST or DELETE.
This is not a RESTful approach to the problem, but it works. What do you think?
Maybe another solution could be to dynamically generate an IFrame to send non-GET requests. Any tips?
There's some relevant points on a pretty similar question here...
JSONP Implications with true REST
The cross-domain restrictions are there for a reason ;-)
Jsonp allows you to expose a limited, safe, read-only view of the API to cross domain access - if you subvert that then you're potentially opening up a huge security hole - malicious websites can make destructive calls to your API simply by including an image with an href pointing to the right part of the API
Having your webapp expose certain functionality accessed through iframes, where all the ajax occurs within the context of your webapp's domain is definitely the safer choice. Even then you still need to take CSRF into consideration. (Take a look at Django's latest security announcement on the Django blog for a prime example - as of a release this week all javascript calls to a Django webapp must be CSRF validated by default)
The Iframe hack is not working anymore on recent browsers, do not use it anymore (source : http://jquery-howto.blogspot.de/2013/09/jquery-cross-domain-ajax-request.html)
Hey SO, so I've got an API I'm making calls to in a browser application. Said API lives on a server that requires whitelisting and HTTP Digest Authentication.
To meet the whitelisting requirement, I'm running all API calls through a proxy, which is whitelisted. The calls are originating from an iFrame, currently populated by an index.html file.
What I need to know is how I can authenticate via HTTP Digest in the background. Most of the resources I can find online seem to involve the original HTTP Digest Authentication setup, but what I'm looking to do is automate login.
Despite the non-secretive subject matter, it is somehow critical that I keep the digest parameters obfuscated from users. Perhaps I could change the served file to index.php and then somehow set the magic headers? Even then, if the calls made via XHR, would the index.php headers authenticate the separate request?
Overall, I'm just lost, and the API developers in question are not exactly responsive, so thought I'd turn here.
It appears that in the end, this was not possible. I had to switch to building a thin back-end to route requests through.