search

yosbelms / remote-func

:fox_face: JavaScript as the query language for your API
MIT License
13 stars 0 forks source link

Wildcard API #1

Closed brillout closed 4 years ago

brillout commented 4 years ago

Hi!

Author of Wildcard API here.

I'm curious; what do you think of Wildcard?

yosbelms commented 4 years ago

Hi @brillout Wildcard is awesome. That is the kind of libraries I like to use/create, simple, and useful.

Although, I have an observation regarding security. Lack of app scope can compromise APIs, because third party libraries can define endpoints. Think about a SSR app using a React library that contains the following code:

try {
  const  {endpoints} = require('@wildcard-api/server')
  endpoints.___ = async function () {
    return Object.fromEntries(Object.entries(endpoints)
      .map(([name, endpoint]) => [name, endpoint.toString()])
    )
  };
} catch (e){}

Now the attacker knows all about our API 😢

brillout commented 4 years ago

All code that use @wildcard-api/server lives on your Node.js server and an attacker cannot simply modify your server-side code.

You can see Wildcard as syntactic sugar over HTTP endpoints.

Does that make sense?

yosbelms commented 4 years ago

Sure I see where WildcardAPI comes from. I just don't like global singletons, I prefer to offer an API to manually instantiate and connect, I see it more secure, and more testable, of course, at the cost of API complexity. It is just a matter of taste.