Here is a recap of the Node.js related content we posted in the last two weeks, upcoming events, plus StrongLoop related articles we came across on the web.
Curious what new developments are happening with the LoopBack project? Here’s a curated selection of the most important changes that have been made to LoopBack in the past four weeks or so.
What’s LoopBack? It’s an open source Node.js framework for creating REST APIs that connect to datasources like Oracle, SQL Server and MongoDB. Learn more…
Since we last checked in, we’ve made a lot of progress both with the Express documentation itself and in the “infrastructure” of the expressjs.com site. Although developer and author Hage Yaapa and I have been leading the documentation efforts, we’ve been working closely with Express lead maintainer Doug Wilson, and with the community as a whole.
In the last four months, we’ve merged over 50 pull requests (PRs) and closed over 30 issues. While many of these were small corrections or trivial updates, some were significant improvements, as I’ll outline below. In general, one of our primary goals is to empower the community to help improve and maintain the documentation.
LoopBack already has authentication and authorization baked in. There is a base
User class that you can use directly or extend to suit your needs. Each model in LoopBack can also have a rich set of access control rules built in using the existing user roles. I’m not going to talk in depth about these mechanisms, but you can read more at the link above. Instead, I want to focus on some insights from one of the sessions at Confoo: Chris Cornutt’s “Beginner’s Guide to Alternative Authorization”.
You can review the slides from his talk on his SpeakerDeck page, but let me give you the TL;DR version: There are a lot of different authentication mechanisms, and all of them have their own nuances, benefits, and issues. This session was just an overview of a lot of those mechanisms, but it got me thinking about the authentication built into LoopBack and how a developer might make that more secure using something like a multi-factor process.
So, without further ado, let’s see how we can extend the existing LoopBack User login system to use two-factor authentication with a time-based, sms-delivered code.
Recently a security vulnerability, dubbed “FREAK Attack” was reported that affects certain versions of OpenSSL, the popular open source encryption library which is used in many server products such as Apache.
Specifically, the ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.
Fortunately, both Node.js v0.10.36, v0.12 and io.js are not affected by the reported vulnerability. They use a version of OpenSSL that is more recent and in which the affected vulnerability has already been fixed.
In older versions of Node.js (0.10.35 and older, including all versions of v0.8.x) the TLS client uses default OpenSSL cipher suites, which makes them vulnerable. To the users of those Node versions, our recommendation is to upgrade to v0.10.36. as soon as possible.
- March 23: Node.js Club SF Meetup – San Francisco
- Feb 22-26: M&M MEAN Milan Meetup – Las Vegas
- March 25-27: Node.js and API Development Training – Guadalajara, Mexico
StrongLoop is Hiring!
Love helping developers become successful with Node.js in developing APIs? Join our team!
StrongLoop Arc is a graphical UI for the StrongLoop API Platform, which includes LoopBack, that complements the slc command line tools for developing APIs quickly and getting them connected to data. Arc also includes tools for building, profiling and monitoring Node apps. It takes just a few simple steps to get started!