Protect the database login credentials when working with JavaScript
‎08-31-2018 02:03 AM
Nice! I look forward to having a play with this. How would you protect the database login credentials when working with JavaScript though?
- Labels:
-
Javascript
‎08-31-2018 03:13 AM
Generally, don't store the credentials.
Browser local-storage is reasonably sandboxed, but of course a person can look through that using dev tools.
On the nodejs side credentials management would be the same as you'd do for any language. If stored to disk, make sure file permissions are limited.
‎08-31-2018 04:01 AM
Thanks, that's what I was thinking. Unless I've missed something (I only speed read it) you would need to pass database login credentials when calling a database select, update etc. Would that not mean that you HAVE to store the credentials client side? I'm sure I've missed something.
‎08-31-2018 04:09 AM
Only when you create the driver. And you could use a user login form for that. Like in Neo4j Browser
Usually, you'd use the JS driver on the backend in a node.js server though.
‎08-31-2018 04:45 AM
Oh, OK. So this is more for back end node.js stuff than as a practical solution for calling a Neo4j database from a web browser session (unless the database credentials are specifically entered via a form as you say). Really great project, thank you guys very much for all your hard work 🙂
‎09-04-2018 04:06 PM
Note: you could implement a custom authenticator/authorizer which accepts OAuth tokens and maps those to the appropriate Neo4j user/privileges. Then the JavaScript driver can send the OAuth tokens as the "passwords". We do this for the Neo4j Sandbox.
See more info on custom auth plugins here:
https://neo4j.com/docs/developer-manual/current/extending-neo4j/auth-plugins/
‎08-12-2019 02:20 AM
Hi Ryan, I don't know Java and was wondering if there is any pre-built plugin I can use? I am building a JS app and would like to authenticate the user with a token every time I run a session which I would receive once the user logs in to the app. On login the user credentials would be send to Neo4j and the browser would receive and store a token which I would then use in subsequent sessions (currently I establish and close a session with every query). Is this the right approach? Thank you
‎08-24-2019 12:01 PM
Hi Fred,
To confirm, you have some server-side code? What's your server-side written in? NodeJS?
Typically the server-side code would authenticate and authorize the user and then perform the database requests on behalf of the user -- rather than connecting the frontend JS directly to the DB.
Cheers,
-Ryan
‎10-02-2019 01:11 AM
Thanks Ryan, I was initially hoping to have a node server deployed with Neo4j, ended up building a node server and handling it there.