React(ing) Before Express(ing)

in #dev5 years ago (edited)

Do you react to your expression, or express your reaction? Normally, I think we all express our reactions. Maybe those are the same thing, but the reaction seems to come first. It seems we need to react, then express it.

In coding in React, while using Express in the same app, you can do it either way. If you have a server side rendering, then you Express first, then React. My app is doing client side rendering, with API calls to the backed in Express. So React first, then Express.

react-and-express-square.png

In setting up routes for certain pages, it's cumbersome to not be able to simply go to Express for a certain route I wanted to go to. First I had to deal with a request ion React, then go to Express through React. It would have been convenient if I could easily choose when I wanted React or Express to deal with a route. But I can't :/

With SteemConnect, you need a redirectURL sent in order for your JWT access token to be received. You can choose any route, say for example, /auth, or /complete, or /success. So the URL is something like http://example.com/success.

I wanted to receive that in Express to create a CSRF token there directly after a login, rather than go through React first. But I can't. So I needed to make a React component for the SteemConnect authentication success, then make an API call to the Express backend, which will process the data like the expiration of the token, username, create a CSRF token, add data to the database, and then return the CSRF token and SteemConnect JWT for a successful authentication in React.

The SteemConnect token only has your username, expiration, and other data encoded (not encrypted). But it can be used to re-authenticate you until it expires. I won't be holding that token in the database, don't worry. You SteemConnect credentials will only be in a Cookie ~that you can eat~ that is stored in your browser.

That way, the next time you visit, you won't need to login again and again. I notice SteemPeak is setup that way. I don't like the hassle. I plan to add an option later to customize the login: do you want the token to last just 1 week, 1 month, or auto renew and auto-login; or do you want to have to login each time you visit after closing the page (like SteemPeak).

Your SteemConnect token will be safe. It won't be accessible to the front-end JavaScript, as I will be setting HttpOnly on the cookie, meaning it can only be sent through HTTP requests. If ever (by some freak accident on my part) an XSS vulnerability slips in happens, my site may be in shit, but at least your cookies won't be accessible by an attacker who tries to steal ;) I doubt it will come to that though.

As much as developers say XSS won't happen to them, it can. All it takes is a mistake. We may protect against it, but you never know, ya know? This way, your cookie will be safe on my site no matter what. Busy.org has your token in the browser cookie, without HttpOnly on. Again, it's only an issue if you have an XSS vulnerability where an attacker can use JavaScript on a site to access your cookies, and therefore your JWT token stored there (in non-HttpOnly mode). But I prefer to make your token doubly-safe.

Well that's my latest dev tale to share. I hope it made sense to most (some?) of you :)


Thank you for your time and attention. Peace.


If you appreciate and value the content, please consider: Upvoting, Sharing or Reblogging below.
Follow me for more content to come!


My goal is to share knowledge, truth and moral understanding in order to help change the world for the better. If you appreciate and value what I do, please consider supporting me as a Steem Witness by voting for me at the bottom of the Witness page.

Sort:  

Will be curious to see what you are building. I still want to know more about Steemconnect before I input any key into their possession. I still don't get why so many hand it over to them being they don't even have a way to contact them on their site.

Cookies get squashed by me many times a night, as I learned to view them as tracking objects. I always delete them and restart my browser after researching certain subjects.

Cookies are only good on a domain, but 3rd party cookies like for ads, get used by many sits because all those sites use the ads from the authoring domain. A cookie from a site that doesn't use 3rd party tracking like in ads, can't be tracked by those other cookies. They would add stuff to cookies themselves, but you can always view the contents. They may be encrypted though, but they can only track what you do on the site, and only be read by the site, and there are better ways to do that like with a database, if they really want to track you on their own site ;)

Thanks for the explanation. I am still not sure how one would know how to differentiate the cookie so in my ignorance will continue deleting them when I am done at websites or on themes of research, lol. Best to play it safe when you know you lack understanding, lol.

I know for example that I read maybe two years ago that Fakebook is able to track you on all sites that have their widget on them (as we see here before the Twitter, Reddit, etc widgets). About the only thing I am certain of is I am tired of everyone tracking me and collecting my moves into their databases.

When I use to run author websites for my pen names, I ran a program called WordFence. It saved me many times from brute force hacking. I still get their newsletter, and seems every few months or so they release a warning that one of the WordPress apps has installed backdoors or other things more sinister onto all the sites their apps are on.

So many scammers out there I proceed with caution.

Have you ever used Discord? You should install it, and contact me. My user is KrNel#6579 to Friend me there ;)

I have shied away from Discord, primarily as an agreement between myself and my other half. Both of us have been shafted by previous partners who used private chats such as Discord on other sites and neither of us want to make the other question if this is happening.

Not to lay the blame solely there, but Steemit has been to much of a time sink for me weekly as well, and not sure when I would have time even without that understanding between us. I can see myself using it though if this site goes belly up, so will save it for an emergence should the need arise. Thanks for the invite, it means a lot to me coming from you.

So, you can't use any chat apps to communicate with other people?

Correct. It is one of the ways we honor one another. Not for everyone, but it works for us.

Alrighty ;)

Curated for #informationwar (by @Gregorypatrick)

Ways you can help the @informationwar!

  • Upvote this comment or Delegate Steem Power. 25 SP 50 SP 100 SP or Join the curation trail here.
  • Tutorials on all ways to support us and useful resources here

FreezePeach

If you feel you've been wrongly flagged, check out @freezepeach, the flag abuse neutralizer. See the intro post for more details, or join the discord server.

We are bringing up the % for our upvotes, please let me know if it is noticeable if you get the chance my good man.

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

Thanks for sharing this with us. At first it was a little bit confusing for me about do i react to my expression or i express my reaction

What kind of project is this? A front end?

Manual curation network remedy for Steem ;)

This post has been included in the latest edition of SOS Daily News - a digest of all you need to know about the State of Steem.



Coin Marketplace

STEEM 0.35
TRX 0.12
JST 0.040
BTC 70601.11
ETH 3576.21
USDT 1.00
SBD 4.78