FatFractal customer forums



Author Topic: CORS setting to disable databrowser not working?  (Read 3695 times)

shaun.etherton

  • Newbie
  • *
  • Posts: 11
    • View Profile
CORS setting to disable databrowser not working?
« on: March 25, 2014, 03:33:27 AM »
Hi

I've just started with FF and i'm trying to disable the databrowser functionality so people cannot view my datastore using a webbrowser.

I commented out the line in the application.ffdl but it doesn't seem to make any difference after deploying the app.
I can still view the data via the url:
  https://system.fatfractal.com/console/databrowser/databrowser.html?baseUrl=[my app url]

The app has been updated because there is a newly created table visible now that was not there before. The contents of the war file also reflect the changes to the application.ffdl file.

This is the line in the file.
# Remove the following CORS setting if you don't wish to be able to use the data browser from the FatFractal Console
# SET CORS https://system.fatfractal.com

Is there something else i need to set?

Regards,
 Shaun

shaun.etherton

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: CORS setting to disable databrowser not working?
« Reply #1 on: March 25, 2014, 05:14:51 AM »
Replying to my own question:

I've changed the configuration as follows, which seems to have done the trick.

SET CORS http://my_other_domain.com

gkc

  • Administrator
  • *****
  • Posts: 375
    • View Profile
Re: CORS setting to disable databrowser not working?
« Reply #2 on: March 25, 2014, 05:30:53 AM »
Hi Shaun,

Great! I'm putting together a more substantial response with regards to securing your data in general. Will post that later today

Cheers

- Gary

gkc

  • Administrator
  • *****
  • Posts: 375
    • View Profile
Re: CORS setting to disable databrowser not working?
« Reply #3 on: March 25, 2014, 07:02:10 AM »
Hi - thanks for trying us out!

There are a couple of things to note here
1) Apps are accessible via HTTP and GET requests are permitted by default
2) If you wish to totally secure your data you have several options. The following sample code will
  • Prevent any access to your application data except by registered & logged-in users
  • Add a simple security wrap to user registration

Add the following to your application.ffdl
Code: [Select]
# Allow only authenticated users to access data via HTTP GET requests
SET AllowAnonymousGets false

# Add an event handler which will prevent registration of users unless they supply a special code (known only to your app)
CREATE HANDLER VerifyRegistrationToken PRE  ON /FFUser CREATE AS javascript:require('scripts/EventHandlers.js').verifyRegistrationToken();

Create an EventHandlers.js file in your ff-scripts directory like this
Code: [Select]
var ff = require('ffef/FatFractal');

exports.verifyRegistrationToken = function() {
    var httpHeaders = ff.getHttpRequestData().httpHeaders;

    // Require presence of a valid registration token in the registration request
    if ('MySecretTokenGoesHere' !== httpHeaders['RegistrationToken']) {
        throw {statusCode:403, statusMessage:'Forbidden'};
    }
};

And finally, add the following to your application code before making the register request
  • iOS (Objective-C)
Code: [Select]
        ff.customHttpHeaders = @{@"RegistrationToken": @"MySecretTokenGoesHere"};
  • Android (Java)
Code: [Select]
            final HashMap<String, String> customHttpHeaders = new HashMap<String, String>();
            customHttpHeaders.put("RegistrationToken", "MySecretTokenGoesHere");

            ffInstance.setCustomHttpHeaders(customHttpHeaders);

Note:


shaun.etherton

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: CORS setting to disable databrowser not working?
« Reply #4 on: March 25, 2014, 11:35:05 AM »
Thanks for that reply, it's very helpful.


 

Copyright © FatFractal customer forums