These are chat archives for jdubray/sam-examples

5th
May 2016
Bang-Equal
@Bang-Equal
May 05 2016 16:23
@jdubray Hi JJ its me again, I am looking at the code of your website http://www.ebpml.org and I am trying to get an understanding of how SAM can be used in the "real world". Lets say for example, that I published the crud-blog example where a jquery HTTP request is made to the server. Is it safe to expose the server address and file structure to the client? How did you address security in your site?
Jean-Jacques Dubray
@jdubray
May 05 2016 16:27
In the http://www.ebpml.org/about page, I simply make a request to the feed.xml file so there is security (but that's server side)
On the Web there is only one security architecture for back-end APIs, either it is safe for anyone to call them (say like feed.xml) or you need users to login and either call the API with a valid session token from the browser or you need to call them safely from the server (say with APIKey)
You should never bring API credentials on the browser (say like API key), it is 100% unsafe.
I am a server side guy, I don't believe much in complex browser-based apps. I like the UX of SPA but I prefer when most of the SPA comes from the server rather than making AJAX calls from the browser.
That's why SAM is 100% isomorphic and I came up with it because I felt that the Front-End driving API signatures was the wrong thing to do.
Bang-Equal
@Bang-Equal
May 05 2016 16:33
OK so if I were to publish the crud-blog example that we discussed above for example, I would just need to generate a token that the server can validate
Jean-Jacques Dubray
@jdubray
May 05 2016 16:43
yes, you would want the user to login and if you need to call the API from the browser, I would use a session token. In general API Gateways (such as AWS, Azure, ...) don't implement that pattern, they prefer a server to call the API with an API Key because they implement things like throttling, ... but if you implement your API say with Node.js then it's not hard to manage session tokens.