search

newhavenio / newhavenio.github.io

active version of the website for newhaven.io built on the Jekyll framework
http://newhavenio.github.io/
MIT License
13 stars 12 forks source link

RoR Backend API #71

Closed bsutt123 closed 6 years ago

bsutt123 commented 6 years ago

So right now the website uses JSONP to make a request to the Meetup API for information about the events. I was under the impression that JSONP is not the most secure request and it means that we have to store api key on the client side code somehow and then work to hide it.

Is it worth using the heroku that we have set up and running a small RoR api server that can make requests for us? Canonically it is what I would do to obfuscate api requests (and probably do a touch of memoization) but i'm curious if you guys think it is worth the time or if we should charge forward with jsonp.

treznick commented 6 years ago

Hi @bsutt123, thanks for proposing this and for looking into how to optimize our site from a security perspective.

As much as I agree with the desire to move those sorts of API requests to the backend, I worry that the hosting costs incurred, and the application boot time costs incurred would not be ideal from both an operations and performance perspective. This is true, btw, for any backend: Rails, Sinatra, Express, etc. There is going to be boot time at the heroku level because we are not in the position of paying for a more expensive dyno. Furthermore there is operational cost associated with the maintenance of this bit of infrastructure.

Secondly, as far as I recall, and @NerdsvilleCEO and @jnimety would have a better sense of this, but our api access to meetup is fairly limited in scope. Point being that even if an attacker compromised JSONP, what they could then do is limited to issues that are really best mitigated at Meetup's end.

As such, I'm going to say that I don't think building an entire backend is the right call here.

treznick commented 6 years ago

@bsutt123 I'm going to close this for now, but if you, or others feel that this discussion needs to continue, please feel free to reopen or to propose a new issue.

bsutt123 commented 6 years ago

Totally fair. I just wanted to bring it up and see if it was worth setting up, my thought was that it wasn't, but I have a pretty poor sense of necessary security protocols. Its good to hear someone who knows more about it say that its overkill.

jnimety commented 6 years ago

That's right, security issues should have been resolved in #40 and #41. Is there something those commits didn't address?

sukima commented 6 years ago

To mitigate the problem with publishing API keys the Meetup API uses signed URLs. PR #40 specifically addressed the security concern you mentioned. A back end is not required as the signed URLs are public and do not leak our API key nor any security tokens.

sukima commented 6 years ago

In fact PR #38 adds a tool for generating the signed URLs

bsutt123 commented 6 years ago

Its something you and I could work on, though if we aren't requesting developers or anything that isn't public I haven't had to use an api key with the latest version of the meetup api so we also might just be able to ignore it. Thought we might still want to sign it so that its harder to hijack our request?

Security is not my forte, so I'm open to changes as necessary.

thatnerdjosh commented 6 years ago

@bsutt123 the signed URL fix allows us to keep API keys off of the front end, it is read only