Applying Security to your NodeJS pages

Docs NodeJS
#1

You can apply security to your pages and redirect users who are not logged in or have no permissions to view a specific page.

Security Protection with NodeJS

Security Provider setup with NodeJS is similar to what you are used to do for the other server models (PHP / ASP / ASP.NET), the different in the workflow is the way you restrict access on the pages. For PHP, ASP and ASP.NET you would do this using the Security Enforcer on the page, while with NodeJS you apply the restrictions on the Server Side, in a Server Action.

Server Side

First we need to setup the Server Side part.
We already created the normal server action required for a login system like login and logout. We also crated a server action called user which will be used to restrict our pages. It contains a database connection and a database query, so nothing unusual:

Screenshot_2
Screenshot_21500Ă—884 211 KB

First let’s add the Security Provider to our server action. Right click the database connection step:

Screenshot_3
Screenshot_31500Ă—884 193 KB

And add the Security Provider:

Screenshot_4
Screenshot_41500Ă—884 171 KB

Set up your security provider as you usually do. We are using a database security provider in our example:

Screenshot_5
Screenshot_51500Ă—884 210 KB

That’s how we set it up:

Screenshot_1
Screenshot_11500Ă—884 221 KB

So just setup your security provider as you need it.

Right click the Security Provider step:

Screenshot_6
Screenshot_61500Ă—884 208 KB

And add Security Restrict:

Screenshot_7
Screenshot_71500Ă—884 200 KB

Select any permission if needed / if you created some, or just leave this field empty:

Screenshot_8
Screenshot_81500Ă—884 201 KB

Then select the URL where the users who are not logged in should be redirected to:

Screenshot_9
Screenshot_91500Ă—884 203 KB

We click the routes picker and select the login page, which we have already created:

Screenshot_10
Screenshot_101500Ă—884 201 KB

Then select the URL where the users who are not authorized should be redirected to:

Screenshot_11
Screenshot_111500Ă—884 215 KB

We click the routes picker and select the unauthorized page, which we have already created:

Screenshot_12
Screenshot_121500Ă—884 207 KB

Save your server action:

Screenshot_13
Screenshot_131500Ă—884 218 KB

Page Setup

Now open the Pages Manager and select the page which you want to protect:

Screenshot_14
Screenshot_141500Ă—884 191 KB

Select App and click the Select Server Action in the Server Side Data options:

Screenshot_15
Screenshot_151500Ă—884 265 KB

Select the server action called user which we just created:

Screenshot_16
Screenshot_161500Ă—884 232 KB

Save your page and you are done:

Screenshot_17
Screenshot_171500Ă—884 262 KB

That’s how to restrict access to your NodeJS pages.

5 Likes
NodeJS - by Privilege, authentication access /restriction to sites
What do you set as index page, if running your marketing site on the main domain via another platform but the app via Wappler?
Node JS - setting up security provider
Security - Restricting Access to Your Page
About the NodeJS category
Security Provider Enforcer in project nodejs
Security restrict, how to redirect to login page if not logged in? Wappler 5.2.0
Page restriction
Security Restrict Node.js
NodeJS - Does Security Restrict Redirect from SC?
Security - Restricting Access to Your Page
How do I auto direct back to Login if the user isn't logged in?
#2

Thanks for this @Teodor, with this restrict would this not display any of the protected page / layouts html or would it essentially show it and render it and then redirect (quicker than the human eye) but would technically still be accessible (obviously anything in the server connect would be protected I imagine)

Thanks

#3

No, it won’t load the route if the user is not authorized or not logged in.

1 Like
#4

Thanks for the confirmation @Teodor looking forward to getting stuck into the Node side of things I have been learning about it to get my head around it for when I jump in to using it in Wappler.

1 Like
#5

will this work in a similar manner for SPA?

#6

Yes :slight_smile:

2 Likes
#7

I can’t save the security provider.

Windows 10
Wappler v3.0.0. beta-6.

Solved in rc4

#9

After logging in I am returned to the login screen.
If I use the wrong credentials i get a warning, so it seems like it’s accepting my login

Agron2 not a possibility for password hashing anymore ?

#10

Argon2 algorithm is only available in PHP.

#11

2 posts were split to a new topic: Error with authentication in NodeJS

#12

I continue to test work with nodejs projects. I decided to try to configure security for the nodejs project. But I ran into a problem.

The manual shows:

71
71396Ă—827 51.8 KB

I created a new project. And what does the page settings look like for me:

70
70363Ă—937 46.4 KB

How do I access server actions as shown in the guide?

#13

Perhaps you are running into this?

#14

Hi Ken

Yes, I’ve already discovered that it’s because of the layout. I came across this topic, where the same situation is discussed: Problems following Node.js "Applying Security" Tutorial/Docs

In my case, as in the topic above, I did not create the layout at all, because I plan to create a classic multi-page application. Which raises the question, is it even possible to fully work with nodejs without using layouts?

The system of layouts and approach in building applications on nodejs in the current form, this is basically the concept of SPA.

What if you don’t need a SPA, but a classic multi-page application?

#15

Using node layout and content pages doesn mean you should be building SPA pages…
Layouts are really useful for reusing your navbar/footer etc across your content pages.

3 Likes
#16

Hello, when selecting “Permissions” in “Restrict Properties”: If I select more than one, does it mean that the logged user has to have both permissions? (that’s how it seems to be working now)

Is there a way to make the enforcer pass if the logged user has either of the selected permissions?

image

#17

Yes, all permissions listed are required.

You’ll need to redesign your model to adhere to this behavior.

#18

This is an old tutorial but the principal is the same, you need to use two tables, one for user details, the other for roles. That way a user can reside in more than one role simultaneously

3 Likes
#19

Thanks a lot!.

It makes sense when explicitly stated. Wappler’s permissions field’s tooltip and documentation don’t make it clear IMO.

#20

Thanks a lot, I’ll check this link. :slightly_smiling_face:

#21

Server side data is missing from the UI. Am I missing a step or is this definitely a bug? Trying to restrict pages…

Screenshot 2021-03-04 at 18.51.35
Screenshot 2021-03-04 at 18.51.35710Ă—1376 52.5 KB