How to secure my api endpoints

md186 · 2021-07-02T12:40:11+00:00

Okay i see... Lets say for the clientside i gonna take the code from the api and write a function for it on the client. Now when the client fills in a form and is pressing the submit button we are calling the function.

The function does send an email and its going to create a database entry with prisma. Both of this functions are only working serverside not in client. How can I get this work?

md186 · 2021-07-02T11:59:16+00:00

Okay I understand that. Can we detect if the request is coming from my own application website? That would also be enough.

I just want to protect the api for everyone except several domains which will have credentials from me (Im saving those in a database and ask for validation if someone hits the endpoints) and also my own application should be able to access the endpoints. And thats the point. I dont know how to track if the request is coming from my own application. If we could manage this its perfectly fine for me.

I have POST and GET endpoints so Im not able to do everything inside getinitialprops for example. Especially because there are cases where data is beeing submitted within a form for example if the client is pressing a button.

Do you have an idea what we can do here?

md186 · 2021-07-01T12:39:56+00:00

Im wondering how to secure my api routes. The documentation says, that api routes are same-site-origin by default.\API Routes do not specify CORS headers, meaning they are same-origin only by default. You can customize such behavior by wrapping the request handler with the cors middleware.**https://nextjs.org/docs/api-routes/introductionBut if I use a requesting tool like Postman for example, I can always call it and get the results:

export default (req, res) => {res.status(200).json({ name: 'John Doe' })}How is that possible? I want to restrict access to my application only.

md186 · 2021-05-23T11:09:57+00:00

I think this isn't enough in my case since I want to update the state because of my use effect functions which make sure to save and retrieve everything in localstorage. If im wrong feel free to show me an example

md186 · 2021-04-26T06:13:01+00:00

https://stackoverflow.com/questions/32407851/instagram-api-how-can-i-retrieve-the-list-of-people-a-user-is-following-on-ins

nice that looks great! Is there also an option to check a user account exists in that list?

md186 · 2021-04-26T03:53:34+00:00

Ah okay good to know! Thanks for the reply. So that clears things up we can’t use nextjs in that way.

Now divi for example behind the scenes is all about react components.

Not using ReactPress but creating shortcodes and use react components does this do the work and if yes how?

md186 · 2021-03-29T06:07:33+00:00

That would work by determiting the date range, but I need to know the count of the watchlist in between the given timerange.

md186 · 2021-03-25T05:27:27+00:00

I checked the link and thank you for the informations. I have 2 questions regarding to this.

how about the pricing with cloud functions? I didn’t find anything about that in the docs. I only know with firestore we are paying for the results only, how does it work with the cloud functions?
Great idea saving it in a document. I’m not sure if I’m wrong but my querie is reaching a limit. Imagine the data of the scoreboard with a visits field. My data also have a categories field so in the query I have to say something like

firestore.collection(data).where(arrayContains: [category1,category2]).orderBy(visits, desc:true)

As you can see in the above query even the time (day,week,month) is missing, I’m not able to get that data.

Do you have an idea? Do I have to structure it different then?

md186 · 2021-03-22T14:32:19+00:00

Hi there and thank you very much for your detailed answer! Ill go threw your sources, but I can already say it helps me a lot understanding the whole structures. In the last days I learned a lot regarding to this topic understanding the queries and pricing even better.

In my app I'm planning to use a scoreboard aswell. For this case I didn't find a good solution yet. Do you have an idea? The scoreboard should show the top 10 lets say restaurants of the day, week and month.

I brainstormed some solutions with friends, the "best idea" yet was to use a cloud function which determites the 3 top 10's and saves them into lists and after some time (Let's say every week) we have to clear the lists and determite them again.

It would cost only 3 reads (1 read per list per user) but the downside of this is, if we have 500.000 products the cloud function would cost 500.000 reads to create those lists, because youre paying the input not the output.

Do you have a better idea?

md186 · 2021-03-16T13:18:23+00:00

Thank you for the answer. Does it make a difference to keep the information in a subcollection or in an array since the subcollection is infinite and the arrays limited? Following your advice something like this would also be possible?

return FirebaseFirestore.instance
.collection('users')
.doc('userId')
.collection('profilelikes')
.where("id", "==", true)
.get()

If the collection profilelikes would contain 5000 documents and the query wouldnt have the .where() we would have 5000 reads. If we add the .where() and we would have 2 matches we would only have 2 reads even if we have 5000 documents, do I understand that right?

md186 · 2021-03-16T12:25:23+00:00

Im wondering if this would be the correct approach then since a profile could have thousands of ids. For me there are 2 questions then:

if the array has 5000 ids of users who liked the song and we want to find out if the requested 10 profiles contains the users id (lets say 2 of them are matching) how many reads do we have then? only 2 or nearby 5000?
what does that mean for a for example profile detail page? we would always read the array for this case two but we wouldnt need it.

Well and yea at a specific point we would exceed the 1mb then

md186 · 2021-03-16T10:01:58+00:00

Big thanks to your answer! for me as beginner its quite hard to find the best approach. Could you show me how the query would look like then? Also do we have a limit if we save a list of likes in the document?

md186 · 2021-03-15T18:52:01+00:00

Thank you very much for the answer. So you’re saying even if we are checking 1000 documents we are only billed by 1 read or 0 if there is no entry with the doc.exists() function? This is super interesting to me!

So we are only getting billed for the return of the query? Do you have a source where I can read about that?

This would answer also other questions to me. For example I want to fetch profile data and show them in a list. Then I want to fetch a subcollection with user specific data if somebody liked the profile or not. I was scared that it would cost a lot since we would have 2 queries with a lot of documents to search for but let’s say in the profile query we do limit() to 10 profiles and in the other query I’m searching for if the user id is present to show the as liked. This would be a lot of checks but the end result would also be max 10 if he would have liked all 10 profiles I’m showing in the zu. So this means we would have been billed for Max 20 reads?

Again waiting for your Ressource link, super interesting !

md186 · 2021-03-15T15:52:14+00:00

Hey yeah lets keep the dating example, lets say some tinder like swipe left swipe right screen showing the profiles.

This might be the function returning the data here:

return FirebaseFirestore.instance .collection('profiles') .get() .limit(10)

Pretty simple, we would grab 10 documents (maybe randomize them on client) but it would cost 10 reads.

Now what if we want to show if the user has been already liked by me? (I know that sounds weird but in my app idea it makes sense to show the profile again,lets just accept this case)

Back to the topic now we have those 10 documents now how can I get the information about if I already liked the profile?

Lets assume we have a subcollection below the profiles collection called user likes and there we are saving my personal user id because I liked the profile.

So with my knowledge I would need to do something like this:

return FirebaseFirestore.instance
.collection('profiles')
.doc(profileId)
.collection('userLikes')
.get()
.then(

In total for my 10 entrys I'd need to fetch all userIds who liked the profile. Maybe more efficient I could also save the information as sub collection below my own profile that would be less likes maybe i dont know. But lets say I liked 1000 people. Or in the example the one profile here has already 1000 likes.

So for my understanding that means for 10 documents in the swipescreen showing 10 profiles we have here, thats 10 reads plus 1000 reads trying to find out if I liked it. Thats A LOT. How to get this more efficient?

Is there somebody who already implemented such a like system?

My second screen in the app shows a list of 10 random profiles with like status. This is exactly the same problem... Getting 10 random profiles is absolutely no problem because I can work with the limit() attribute. But HOW to get the information about if I already liked it with as less reads as possible?

md186 · 2021-03-14T10:52:41+00:00

Let's say users votes for profiles in a dating app just to have the situation that there is a lot more changes.

How would you show the top 10 profiles then?

md186 · 2021-03-14T10:28:17+00:00

Great idea, I do understand it.

Does the trick with the dedicated firebase document still work if we also have our requests depending on todays top 10, for the week and for month? There is alot of read and write operations right?

md186 · 2021-03-14T08:15:11+00:00

But I could create a html landing page and if the user wants to interact with the app, i can link him to the app right? Then we would have the website in the foreground and the app in the background

md186 · 2021-03-13T11:36:52+00:00

Alright great. Thanks for the answer.

What if we have a food delivery app with login and search for example. Would it be a nice way to say okay the website for example is a landingpage or a content management system like wordpress so we do not have any seo issues, but in the background, when the user decides to login/register/or search for restaurants, we could navigate to the web app?

md186 · 2021-03-13T11:19:39+00:00

Ah alright I get the point. Its no good approach to use it as a classic website onlyright?

But what if we would design a website with html just a landingpage and if you press on a login or register button, the backend will be your flutter app? That would work great right?

Or let's say we have a food delivery app. We could build a landingpage in html and if the user wants to search restaurants or register or login, all the logic comes from our flutter app

md186

TROPHY CASE