Forem: OLUKINNI

The importance of pushing your codes to github always

OLUKINNI — Sun, 02 Apr 2023 17:15:09 +0000

Before we dive into the importance of pushing our codes to GitHub as soon as possible, I would like to inform you all about git and what GitHub is...

Git

Git is a distributed version control system that tracks changes in any set of computer files, usually used for coordinating work among programmers collaboratively developing source code during software development. Its goals include speed, data integrity, and support for a distributed, non-linear workflow.

GitHub

GitHub is a cloud-based hosting service that lets you manage Git repositories. So majorly GitHub is a cloud-storage system where we save our codes for future use.
To learn more about GitHub click.
These two are majorly important to be known to a newbie, a right attitude towards building your career as a programmer is to always push your code to GitHub.

Some reasons for pushing your code

Backup and version control: By pushing your code to GitHub, you create a backup of your work in case of data loss on your local machine. Additionally, GitHub serves as a version control system, allowing you to track changes to your code over time and easily revert to a previous version if needed.
Collaboration: If you're working on a project with others, pushing your code to GitHub allows your team members to see and review your changes, collaborate on code together, and catch errors or issues early on.
Showcase your work: GitHub is popular platform developers and employers use to showcase their work. By pushing your code to GitHub, you create a public portfolio of your work that can be viewed and shared with others.
Continuous integration and deployment: By pushing your code to GitHub, you can integrate it with various continuous integration and deployment (CI/CD) tools that automate testing, building, and deployment processes. This can help ensure that your code is always in a functional state and ready for deployment.

You push to GitHub by going through the following steps

    git init
    git add .
    git commit -m "commit message"
    git remote add origin 'your_url_name'
    git push -u origin master

Conculsion

Pushing your code to GitHub regularly means uploading your code to a website called GitHub where it's stored safely, which is a good practice. This is important because it's like having a backup copy of your code in case your computer crashes or something goes wrong, also helps you and your team collaborate more effectively, keep track of changes, and showcase your work.

Open for review and contribution!
Thank you.

How to overcome docker error while trying to open your Docker desktop on windows 10.

OLUKINNI — Sun, 26 Mar 2023 12:16:16 +0000

.
Docker is a popular platform that allows developers to create and manage containers for their applications. However, some users may encounter an error when attempting to open Docker Desktop on their Windows 10 machine. This error can be frustrating, but there are steps you can take to resolve it.

Here are some steps you can take to fix the issue:

1.First, make sure that the Windows Subsystem for Linux (WSL) version 2 feature is enabled on your machine. WSL is a feature that allows you to run Linux commands and applications directly on Windows. Docker Desktop requires WSL version 2 to be enabled in order to run. You can follow Microsoft's documentation to enable it.

2.You'll also need to ensure that your machine has BIOS-level hardware virtualization support enabled. Hardware virtualization is a feature that allows you to run multiple operating systems on the same machine, and it's required by Docker Desktop to run containers.

To do this:

Reboot your computer
While the system is restarting and you see a black screen, enter BIOS by pressing the hotkey. Depending on your machine, this could be F1, F2, F3, F10, Esc, or Delete. Mine was Esc key to get the Startup Menu.
Click on the F10 BIOS setup.
Once you're in the BIOS setup, look for the option to enable Virtualization Technology (VTx). This may be located under the "Advanced" menu.
Save the changes and exit the BIOS setup, which will continue with the restarting process of your PC.
After completing these steps, try opening Docker Desktop again.

In summary, if you're encountering an error when trying to open Docker Desktop on your Windows 10 machine, make sure that WSL version 2 is enabled and that hardware virtualization support is enabled in your machine's BIOS settings. These steps should help you overcome the error and get Docker Desktop up and running on your machine.

Hopefully, these instructions will help you get Docker Desktop up and running on your Windows 10 machine! If you have any questions or feedback, feel free to comment.

logging in Node.js

OLUKINNI — Tue, 30 Aug 2022 09:02:43 +0000

Logging can be described as the process of writing information in a log file, which can be used later for debugging in the case of any issue. Logging is an essential part of understanding the complete application life cycle of the Node.js program. From starting to debugging and adding new features, logs provide support by analyzing the data, and we can resolve bugs much easier and quicker by detecting errors as soon as they occur. There are common levels of logging in Node.js: error, warn, info, debug. In this article, we will be discussing about how logging could be us to debug easily and it advantages.

The following are ways to log in Node.js:

console.log

The original method of logging is console.log which is a function that writes a message to log on the debugging console, but you have little control over it. When running console.log, you may notice a negligible decrease in performance. To avoid negatively impacting performance, I recommend switching to a logging library when your project begins to expand.

console.log(level, message)

Use of log library

Logging libraries help developers create and manage log events, which can increase the overall efficiency and functionality of your application. Some of the most popular logging libraries for Node are Winston, Pino, Bunyan, and Morgan.

Winston

Winston includes storage options, different log levels & queries, and a profiler. Winston might be the best choice because it supports multiple transports.

const winston = require('winston');
const config = require('./config');

const enumerateErrorFormat = winston.format((info) => {
  if (info instanceof Error) {
    Object.assign(info, { message: info.stack });
  }
  return info;
});

const logger = winston.createLogger({
  level: config.env === 'development' ? 'debug' : 'info',
  format: winston.format.combine(
    enumerateErrorFormat(),
    config.env === 'development' ? winston.format.colorize() : winston.format.uncolorize(),
    winston.format.splat(),
    winston.format.printf(({ level, message }) => `${level}: ${message}`)
  ),
  transports: [
    new winston.transports.Console({
      stderrLevels: ['error'],
    }),
  ],
});

module.exports = logger;

Pino

This logging library is very popular for its low overhead and minimalism. It uses less resources for logging by using a worker thread for processing.

const pino = require('pino');

// Create a logging instance
const logger = pino({
level: process.env.NODE_ENV === 'production' ? 'info' : 'debug',
});


logger.info('Application started!');

Bunyan

Bunyan is another fast JSON logging library that supports multiple transports and uses a CLI for filtering the logs. It has a refined method that produces what they should do. My favorite feature about Bunyan is the log snooping, which helps in debugging failures in production.

const bunyan = require('bunyan');
const log = bunyan.createLogger({name: 'myapp'});
log.info('My App');


{"name":"myapp","hostname":"banana.local","pid":40161,"level":30,"msg":"My App","time":"2022-04-04T18:24:23.851Z","v":0}

Other cool features of Bunyan are a stream system for controlling where logs are located, support for environments aside from Node.js, and that JSON objects are serialized by default.

Morgan

Logging requests in nodejs can as well be accomplished with a tool called morgan, which gets the server logs and systematizes them to make them more readable.

To use Morgan, simply set the format string:

const morgan = require('morgan');
app.use(morgan('dev'));

Log management system

Depending on how big your application is, it may be helpful to pull the logs out of your application and manage them separately using a log management system.
Log management systems allow you to track and analyze logs as they happen in real-time, which in turn can help improve your code. A log management system can help you keep track of useful data including backend errors, anomalies, log sources, and production errors.
For log analysis and log management tools, I recommend Sentry, Loggly, McAfee Enterprise, Graylog, Splunk, Logmatic or Logstash.

Health monitoring tools

Health monitoring tools are a good way to keep track of your server performance and identify causes of application crashes or downtime. Most health monitoring tools offer error tracking as well as alerts and general performance monitoring. Some developers find error tracking particularly frustrating in Node.js, so using a health monitoring tool can help alleviate some of those difficulties.

Below are few popular monitoring tools for Node.js:

PM2

Sematext

App Metrics

ClinicJS

AppSignal

Conclusion

For an optimal logging and monitoring experience in Node.js, might be best to choose the library that suits your needs. It would also be great if you follow some logging best practices to reap the most benefits as they are software engineers’ best friend. Do not log important information like the credit card details of the user and be careful of what you log.
Try to log everything which you feel could be used later. Obviously, you will figure these things out when it is faced, but try to start with the bare minimum.

Thank you.🙂👍

How to Secure Nodejs Application.

OLUKINNI — Mon, 08 Aug 2022 13:29:59 +0000

This article is all about how we can improve the security system of our nodejs application from being attacked or hacked. But first, we need to know what node.js means.Node.js is extremely popular nowadays, primarily as a backend server for web applications. However, in the world of micro-services, you can find it pretty much everywhere, playing different and important roles in a bigger application stack. One of the advantages of Node.js is the ability to install additional modules, which from a security point of view, provides more opportunities to open back doors.

Additionally, the more popular the framework, the more chances that hackers will try to find vulnerabilities. Therefore, you should always take Node.js security seriously. A Developer is tend to consider at the end of the development cycle the “security” of the application. A secure application is not a luxury, it’s a necessity. You should consider the security of your application at every phase of the development such as architecture, design, code, and finally deployment. As all been said what are those Vulnerabilities or loopholes the hacker tends to find? we will talk about them and the solution as well...

Common attackers on node js application :

SQL Injection;
Cross-site scripting (XSS);
Brute force.

SQL Injection: An SQL injection attack is where an SQL query is ’injected‘ into your web app’s database.

Cross-site scripting(XSS): Cross-site scripting is another type of injection attack, which occurs when an attacker inputs malicious code into a legitimate website by exploiting user inputs.

Brute force: the simplest form of attack, this one involves trying every possibility to find a solution. In your web app, this could mean finding a password by checking millions of likely passwords.

These are the common attack and why we need to secure our node.js applications; below are the solutions to the attack:

Validate user input to limit SQL injections and XSS attacks

Let’s start with one of the most popular attacks, SQL Injection. As the name suggests, a SQL injection attack happens when a hacker can execute SQL statements on your database. This becomes possible when you don’t sanitize the input from the front end. In other words, if your Node.js backend takes the parameter from the user-provided data and uses it directly as a part of the SQL statement.

You must always validate or sanitize the data coming from the user or other entity of the system. The bad validation or no validation at all is a threat to the working system and can lead to a security exploit. You should also escape the output. Let's learn how to validate the incoming data in Node.js. You can use a node module called validator to perform the data validation. For example.

const validator = require('validator');
validator.isEmail('foo@bar.com'); //=> true
validator.isEmail('bar.com'); //=> false

You can also use a module called Joi to perform the data/schema validation. For example :

const joi = require('joi');
  try {
    const schema = joi.object().keys({
      name: joi.string().min(3).max(45).required(),
      email: joi.string().email().required(),
      password: joi.string().min(6).max(20).required()
    });

    const dataToValidate = {
        name: "Victor",
        email: "abc.com",
        password: "123456",
    }
    const result = schema.validate(dataToValidate);
    if (result.error) {
      throw result.error.details[0].message;
    }    
  } catch (e) {
      console.log(e);
  }

To prevent SQL Injection attacks to sanitize input data. You can either validate every single input or validate using parameter binding. Parameter binding is mostly used by developers as it offers efficiency and security. If you are using a popular ORM such as sequelize, hibernate, etc then they already provide the functions to validate and sanitize your data. If you are using database modules other than ORM such as mysql for Node or Mongoose, you can use the escaping methods provided by the module. Let's learn by example. The codebase shown below is using mysql module for Node.

var mysql = require('mysql');
var connection = mysql.createConnection({
  host     : 'localhost',
  user     : 'me',
  password : 'secret',
  database : 'my_db'
});

connection.connect();

connection.query(
    'UPDATE users SET ?? = ? WHERE ?? = ?',
    ['first_name',req.body.first_name, ,'id',1001],
    function(err, result) {
    //...
});

These as well go for Cross-Site Scripting (XSS) but the difference is that instead of sending malicious SQL, the attacker can execute javascript code.

node
app.get('/find_product', (req, res) => {
  ...
  if (products.length === 0) {
    return res.send('<p>No products found for "' + req.query.product + '"</p>');
  }
  ...
});

As you can see in the snippet above, whatever the user puts in the search field, if not found in the database, will be sent back to the user in an unchanged form. What that means is that if an attacker puts JavaScript code instead of the product name in your search bar, the same JavaScript code will be executed. To validate the User input!You can use validator js or xss-filters for that.

Application Authentication and Authorization

Having a broken, weak, or incomplete authentication mechanism is ranked as the second most common vulnerability. It’s probably because many developers think about authentication as “we have it, so we’re secure.” In reality, weak or inconsistent authentication is easy to bypass. Sensitive data such as passwords should be securely stored in the system so that malicious users don't misuse sensitive information.One solution is to use existing authentication solutions like Okta or OAuth.
If you prefer to stick with native Node.js authentication solutions, you need to remember a few things. When creating passwords, don’t use the Node.js built-in crypto library; use Bcrypt or Scrypt.

const bcrypt = require('bcrypt');

const saltRounds = 10;
const password = "Some-Password@2020";

bcrypt.hash(
    password,
    saltRounds,
    (err, passwordHash) => {

    //we will just print it to the console for now
    //you should store it somewhere and never log or print it

    console.log("Hashed Password:", passwordHash);
});

const bcrypt = require('bcrypt');

const incomingPassword = "Some-Password@2020";
const existingHash = "some-hash-previously-generated"

bcrypt.compare(
    incomingPassword,
    existingHash,
    (err, res) => {
        if(res && res === true) {
            return console.log("Valid Password");
        }
        //invalid password handling here
        else {
            console.log("Invalid Password");
        }
});

Make sure to limit failed login attempts, and don’t tell the user if it’s the username or password that is incorrect. Instead, return a generic “incorrect credentials” error. You also need proper session management policies. And be sure to implement 2FA authentication. If done properly, it can increase the security of your application drastically. You can do it with modules like node-2fa or speakeasy.

Avoid errors that reveal too much

Next on the list is error handling. There are a few things to consider here. First, don’t let the user know the details, i.e., don’t return the full error object to the client. It can contain information that you don’t want to expose, such as paths, another library in use, or perhaps even secrets. Second, wrap routes with the catch clause and don’t let Node.js crash when the error was triggered from a request.

This prevents attackers from finding malicious requests that will crash your application and sending them over and over again, making your application crash constantly. Speaking of flooding your Node.js app with malicious requests, don’t directly expose your Node.js app to the Internet. Use some component in front of it, such as a load balancer, a cloud firewall or gateway, or old good Nginx. This will allow you to rate limit DoS attacks one step before they hit your Node.js app.

HTTP Security Headers

HTTP provides several security headers that can prevent commonly known attacks. If you are using the Express framework, you can use a module called helmet to enable all security headers with a single line of code.

npm install helmet --save

const express = require("express"); 
const helmet = require("helmet");  
const app = express(); 
app.use(helmet());  
//...

This enables the following HTTP headers.

Strict-Transport-Security

X-frame-Options

X-XSS-Protection

X-Content-Type-Protection

Content-Security-Policy

Cache-Control

Expect-CT

Disable X-Powered-By

These headers prevent malicious users from various types of attacks such as clickjacking, cross-site scripting, etc.

Dependencies Validation

We all use tons of dependencies in our projects. We need to check and validate these dependencies as well to ensure the security of the overall project. NPM already has an audit feature to find the vulnerability of the project. Just run the command shown below in your source code directory.

npm audit

To fix the vulnerability, you can run this command.

npm audit fix

You can also run the dry run to check the fix before applying it to your project.

npm audit fix --dry-run --json

Set up logging and monitoring

You may think that logging and monitoring, while important, aren’t related to security, but that isn’t true. Of course, the goal is to make systems secure from the beginning, but in reality, it requires an ongoing process. And for that, you need logging and monitoring. Some hackers may be interested in making your application unavailable, which you can find out without logging in. But some hackers will prefer to remain undetected for a longer period. For such cases, monitoring logs and metrics will help you spot that something is wrong. With only basic logging, you won’t get enough information to understand if weird-looking requests are coming from your application, a third-party API, or a hacker.

Use security linters

We talked about automatic vulnerability scanning before, but you can go one step further and catch common security vulnerabilities even while writing the code. How? By using linter plugins like eslint-plugin-security. A security linter will notify you every time you use unsafe code practices (for example using eval or non-literal regex expressions).

Avoid secrets in config files

Writing secure code from the beginning will help, but it won’t make your application bulletproof if you end up storing plain text secrets in your config files. This practice is unacceptable even if you store the code in a private repository. Importing secrets from environment variables is the first step, but it’s not a perfect solution either. To be more confident that your secrets aren’t easily readable, use secret management solutions like Vault. Whenever using Vault isn’t possible, encrypt your secrets when you store them and be sure to rotate them regularly. Many CI/CD solutions allow you to securely store secrets and securely deploy them.

I hope you find these node.js application security practices helpful.

Conclusion

Node.js is the master key solution for start-ups to hastily simplify development and it is a sophisticated ecosystem adopted by leading enterprises. Even the safest of all treasures need to be precautious of theft and attacks. And when you are using the most precious web framework for your valuable project, you sure want to shield it from burglary. Therefore we need to be security conscious about nodejs applications.