Hello!
Hope I’m asking this at the right place / sub
For a bit of a context. I’m db sysadmin for 1.5 years, I work in an insurance. Out of interest, I started learning programming in C++ some 5 months ago. Quite recently I started learning JavaScript, Node, HTML, CSS, React… So, bare in mind I’m quite new, but very curious
About 4 months ago, my company decided to incorporate hybrid work. However, you need to send an email to your manager for an approval, for each day you’d want to work from home. As you can imagine, it’s a hassle, especially for managers with bigger teams
Since I’m eyeing the dev position in my company, I decided to make a web app where you can send your WFH requests. Also, where manager can approve or disapprove requests over his dashboard. This is my first serious project I’m attempting
What I have so far is the fully working LDAP Auth. I’m using Express + Passport and I’ve also set up Passport sessions.
What works so far:
- - User can use his existing Active Directory credentials to log in. If he logs in for the first time, I use data from LDAP reponse to register that user automatically in my database. I also set up manager - user relationship in another table.
- - After registration, OR if user already exists in my database, passport session gets created, is saved in my db and user gets a cookie
- Now, on to my question from the title: I’m concerned with security. I’m using LDAP auth, parameters in my db queries to prevent SQL injections… Now the http / https part:
- - The thing is - both Node server and frontend would be hosted inside a VPN, not available to public. User could only access the frontend when connected to a company LAN (from a device trusted in AD) or if he’s connected to corporate VPN (over Cisco Anyconnect client, for instance). Otherwise, the IP address of the client would not be accessible.
Would you consider safe if I’d send session cookies over an http, but inside a trusted VPN network only? Out of sensitive data, in my database I store 1. user sAMAccountname, 2. email, 3. managers sAMAccountname. That’s all.
However, I’m mostly concerned with the following scenario - I’m in a caffe on a public wifi. I connect to VPN, open my React frontend, send AD username / password over my login form as http POST json. Is that username / password exposed to potential wifi sniffing, since VPN is already enrcypting all traffic?
Would a self-signed cert add additional layer of security so I can enable https? (I know about warnings though… Users could be educated to ignore). I 've also found a lot of tutorials for creating my own CA, but it might be a challenge for a newbie like me to do right.
EDIT/UPDATE:
Thanks everyone!
Alright, so I talked to my manager today and told him that I’m making an app. I showed him the work I did so far. He was quite pleased with what he saw, was positively surprised and encouraging
He told me: Yes, do the app, it’s a great idea. Also, he said that https is mandatory. He will take care of the wildcard cert from digicert, no problems there!
I was also happy he is 100% pro node backend I’m working on, even though we use .NET for everything.
Latest update: I already sucessfully crated my own CA using openSSL in my root for development purposes! Https is working on frontend / backend. Browser says: connection is secure
This is working:
const https = require("https");
const fs = require("fs");
const path = require("path");
const sslOptions = {
key: fs.readFileSync(path.join(__dirname, "./cert/localhost.key")),
cert: fs.readFileSync(path.join(__dirname, "/cert/backend.crt")),
};
...
let _ = {};
_.start = () => {
try {
https.createServer(sslOptions, app).listen(port, () => {
console.log("HTTPS server listening on port: " + port);
});
} catch (err) {
throw new Error(err);
}
};
const corsOptions = {
origin: "https://localhost:5173",
credentials: true,
};
app.use(cors(corsOptions));
app.use(passport.initialize());
...
}
front is working:
// https://vitejs.dev/config/
export default defineConfig({
plugins: [react()],
server: {
https: {
key: fs.readFileSync(path.resolve(__dirname, "./src/cert/localhost.key")),
cert: fs.readFileSync(path.resolve(__dirname, "./src/cert/frontend.crt")),
},
proxy: {
"/api": "https://localhost:8000",
},
},
});
Everything going good so far! I feel even more motivated now
Thanks everyone for great advices and for pointing out that security is always no1 priority! Also, I’m working in insurance, so good security is mandatory.
Cheers