Lecture 2 - Asynchronous I/O

Programming Models

  1. Concurrency (Asynchronous I/O = cooperative multitasking)
    • Multiple tasks have the ability to run in an overlapping manner
    • Concurrency does not imply parallelism!
  2. Multiprocessing
    • CPU-bounded tasks
  3. Multithreading
    • I/O bound tasks
    • It uses preemtive multitasking

Promise object:

  • an async object that be returned by the async function.
  • An object representing completion or failure of an asynchronous operation.

Await function:

  • makes program to wait until the promise is resolved or rejected
  • can only be usded inside async function

Lecture 3 - Cloud Architectures

Cloud Computing Concepts

  • On-demand and self-service (當需要資源時才被提供,自動化)
    • Resources are provisioned as they are requested and when they are required ‒ No human interaction, automatic
    • No human interaction, automatic
  • Board network access (資源可被網路取得)
    • Capabilities are available over the network
  • Resource pooling (資源根據需求再提供,硬體配置被mutiple tenant共用)
    • Resourcces are dynamically assigned/re-assigned according to demand
    • Provider’s computing resources reused by multiple tenants
    • Computing resources: CPU, memory, storage, network
  • Scalability and elasticity (資源根據需求擴大或縮減)
    • Infrastructure may grow and shrink according to needs
    • Automatic or manual
  • Measured service (資源可被控管)
    • Resource usage can be monitored, controlled and reported
  • Pay-per-use (當消費者使用資源時才付費)
    • Consumers only pay for resources when they use them

Multitenancy: Architectural approach where resources are shared between multiple tenants or consumers Infrastructure as Code: Version control, team development, scripting, etc.

Terraform:

  1. Higher-level abstraction of the datacenter and associated services
  2. Supports many service providers: Google, Microsoft, Oracle, AWS

VCN = a private network in a single region in which your instances reside

Lecture 4 - Cloud Native and Microservices

Microservices: applications as independenly deployable services

  1. Loosely coupled: Integrated using well-defined interfaces
  2. Technology-agnostic protocols: HTTP, they use REST architecture
  3. Independently deployable and easy to replace: A change in small part requires to redeploy only that part
  4. Implemented using different technologies: PL, databases

Container

  1. Dockerfile is a script that creates a new image

  2. A line in the Dockerfile will create an intermediary layer

    docker build -t tomvit/httpd:v1 If processing fails at some step, all preceeding steps will be loaded from the cache on the next run.

Networking and Linking:

  1. bridge – container can access host’s network (default)
  2. host – all host’s network interfaces will be available in the container
  3. none – container will be placed on its own network and no network interfaces will be configured.

Data Volume:

  • A directory that bypass the union file system
  • Data volumes can be shared and reused among containers
  • Data volume persists even if the container is deleted
  • It is possible to mount a shared sotrage volume as a data volue by using a volume plugin to mount e.g. NFS

Lecture 5 - Browser Networking

Network security

  1. Connection limits
  2. Request formatting and response processing
  3. TLS negotiation
  4. Same-origin policy

XMLHttpRequest (XHR)

  • basis for AJAX → Asynchronous JavaScript and XML

Security

Scripting Attacks

CSRF(Cross-site request forgery)

利用Session未過期的特性,冒沖使用者身份來做惡意攻擊

CSRF的攻擊流程是利用使用者剛使用完某服務後不久Session未過期的時間內,誘導使用者點擊惡意連結來冒充使用者的身份發送非本意的請求,例如使用者剛登入網銀沒多久後收到一個連結,點開來後才發現是一個轉帳的api將使用者的戶頭的錢轉到指定戶頭去。舉例來說,誘導使用者拜訪惡意網站,然後在網站內的img src塞有CSRF 漏洞的api,只要Session沒過期,就可以成功攻擊,當然那是api 是GET請求狀況。

預防方法:

  1. 檢查Referer: Header的referer欄位記錄著來源的domain,只要是不同domain就擋,簡單直接,但可惜的是有些瀏覽器不帶referer。

XSS (Cross-Site-Scripting)

將惡意程式碼植入網站內,讓網站去執行惡意程式碼來達到獲取敏感資料的目的

XSS: 將惡意程式碼植入網站內,讓網站去執行惡意程式碼來達到獲取敏感資料的目的 儲存型XSS: XSS攻擊常見於網站有讓使用者輸入的部分(如表單,回覆留言等等),攻擊者輸入惡意程式碼後送出,來注入惡意程式到Database,來達到攻擊的目的,因為攻擊成功後只有在Database看得出來,且每個使用者對會受到影響,因此殺傷力最大。

Ex. 假如社群網站回覆留言時輸入 且網站沒有做任何XSS防禦就顯示user的留言,則網站就會顯示出惡意的通知。img 預防方法:

  1. 最重要的邏輯是不能相信使用者的輸入,在輸入時檢查或是輸出時做檢查,例如將使用者輸入的值轉成純文字再輸出,在前端框架下(ex. Vue.js),即會對所有的data做XSS的檢查將其轉換為純文字。

Cross-origin Resource Sharing Protocol (CORS)

  • Allow for cross-site HTTP requests
    • HTTP requests for resources from a different domain than the domain of the resource making the request.

img

img

JSON and JSONP

ajax請求受同源策略影響,不允許進行跨域請求,而script標籤src屬性中的鏈接卻可以訪問跨域的js腳本,利用這個特性,服務端不再返回JSON格式的數據,而是返回一段調用某個函數的js代碼,在src中進行了調用,這樣實現了跨域。

  • Service that supports JSONP
    • allows to specify a query string parameter for a wrapper function to load the data in JavaScript code
    • otherwise the data cannot be used in JavaScript
      • they’re loaded into the memory but assigned to nothing
    • A kind of workaround for the same origin policy

Resource Format GET DELETE
http://company.at/customers XML AJAX (1) AJAX (2)
http://company.at/suppliers JSON AJAX, JSONP (3) AJAX (4)
http://weather.at/innsbruck XML AJAX-CORS (5) AJAX-CORS (6)
http://people.at/students JSON AJAX-CORS, JSONP (7) AJAX-CORS (8)
http://people.at/{dob}/contact VCARD AJAX-CORS (9) AJAX-CORS (10) 
res.writeHead(200, {
    'Content-Type': 'Application/json',
    'Access-Control-Allow-Origin': '*'
});

Lecture 6 - Security

驗證(Authentication)是證明身分(identity)的機制,例如: authenticate(name, passwd)方法定義了如何使用name與passwd進行驗證。此外,驗證方式不僅是基於名稱及密碼,也有可能基於憑證(Certificate)之類的機制。一旦caterpillar通過驗證,就可以看到訊息,也就是說,另外有個機制決定訊息資源可否授權觀看,就像授權(Authorization)定義了身分與資源之間的存取控制規則,例如,if(authorized()) { show(“message”); }這個流程,定義了"message"是否可以顯示。

Standard: HTTP authentication

  • HTTP defines two options
    • Basic Access Authentication
    • Digest Access Authentication

Basic authentication

HTTP Basic Authentication為一簡單的HTTP請求認證方法,用來保護server端的資源。當client端對server發起請求的同時必須提供帳號(user-id)及密碼(password)讓server端驗證,只有通過驗證才能取得資源。

Client提供Basic Authentication請求的帳號密碼的方式為, 在HTTP Request Headers加入key=Authorization,value=Basic <basic-credentials>Basic為Basic Authentication規範的名稱,固定加在前頭。<basic-credentials>為Basic Authentication的憑證,其為以Base64 encode對user-id:password的編碼。例如帳號為john,密碼為abc,則<basic-credentials>為以Base 64 encode對john:abc的編碼,也就是am9objphYmM=

因此對server資源發出請求時,在Request Headers加入以下欄位。

1

Authentication: Basic am9objphYmM=

  • A client may associate a valid credentials with realms such that it copies authorization information in requests for which server requires authentication (by WWW-Authenticate header)
  • Credentials: credentials are base64 encoded (the format is: username:password)

Digest Access Authentication

No password between a client and a server but a hash value.

TLS

  • TLS provives message framing mechanism
  • Every message is signed with Message Authentication Code (MAC)
  • MAC hashes data in a message and combines the resulting hash with a key (negotiated during the TLS handshake)
  • The result is a message authentication code sent with the message

TLS and Proxy Servers:

  • TLS Offloading: Inbound TLS connection, plain outbound connection ‒ Proxy can inspect messages

  • TLS Bridging: Inbound TLS connection, new outbound TLS connection ‒ Proxy can inspect messages

  • End-to-End TLS (TLS pass-through): TLS connection is passed-through the proxy - Proxy cannot inspect messages

  • Load balancer: Can use TLS offloading or TLS bridging ‒ Can use TLS pass-through with help of Server Name Indication (SNI)

JSON Web Token (JWT)

After user logs in, following requests contain JWT token.

  • 授權(Authorization):這是很常見 JWT 的使用方式,例如使用者從 Client 端登入後,該使用者再次對 Server 端發送請求的時候,會夾帶著 JWT,允許使用者存取該 token 有權限的資源。單一登錄(Single Sign On)是當今廣泛使用 JWT 的功能之一,因為它的成本較小並且可以在不同的網域(domain)中輕鬆使用。
  • 訊息交換(Information Exchange):JWT 可以透過公鑰/私鑰來做簽章,讓我們可以知道是誰發送這個 JWT,此外,由於簽章是使用 header 和 payload 計算的,因此還可以驗證內容是否遭到篡改。
  1. Open standard
  2. Mechanism to securely transmit information between parties as a JSON object
  3. Can be verified and trusted as it is digitally signed

Basic concepts

  • Compact → has a small size → can be transmitted via a URL, POST, HTTP header.
  • Self-contained → payload contains all required user information.

Oauth 2.0

  • OAuth 1.0 – first standard, security problems, quite complex
  • OAuth 2.0 – new version, not backward compatibile with 1.0

request: client_id +  and client_secret, and redirect_link. grant: code + client_id + client_secret + redirect_link + grant_type: “authorization_code” access token: JWT token jwt.decode(token) to get the data.

Response:

  • Success – 200 OK.
  • Error – 401 Unauthorized when token expires or the client hasn’t performed the authorization request.

Refreshing a token:

  • POST request to the token endpoint with grant_type=refresh_token and the
  • previously obtained value of refresh_token

OpenID Protocol

OpenID絕妙地解決了多個帳號同步問題

XRDS:一種基於XML的XRI資源描述符。它被設計用來提供關於XRI的可用的、描述性信息。在OpenID應用場合中,XRDS用來描述OpenID服務器,並且使用「priority」參數標識了用戶對服務器的優選順序。在下面的示例中,http://www.livejournal.com/users/frank具有最高的優先權(最低的數值):

Lecture 7 - Protocols for the Realtime Web

server is able to send pieces of response w/o terminating the conn.

  • using transfer-encoding header in HTTP 1.1 (Transfer-Encoding: chunked)
    • Each chunk starts with hexadecimal value for length
    • End of response is marked with the chunk length of 0
  • using End of File in HTTP 1.0 (server omits content-lenght in the response)

Pushing – updates from the server (also called COMET)

  • long polling – server holds the request for some time
  • streaming – server sends updates without closing the socket

Server-Sent Events

  • API to handle HTTP streaming in browsers by using DOM events
  • transparent to underlying HTTP streaming mechanism
  • Format
    • response’s content-type must be text/event-stream ‒ every line starts with data:, event message terminates with 2 \n chars.
    • every message may have associated id (is optional) - When a connection is dropped
    • EventSource will automatically reconnect: It may advertise the last seen message ID The client appends Last-Event-ID header in the reconnect request:
    • The stream can be resumed and lost messages can be retransmitted.

Cross-document messaging

Lecture 8 - HTTP/2

  1. communication is multiplexed within a single TCP connection
    • Multiple requests and responses can be delivered in parallel, deliver lower page load times.
  2. Browser Request Prioritization
  3. Flow control
  4. Header compression
  5. Binary Framing Layer

PUSH_PROMISE frames

  • A singnal that the server intents to push resources to the client
  • The client needs to know which resources the server intends to push to avoid creating duplicate requests for these resources.
  • pushed resources must obey the same-origin policy

Ref

[1] CORS/CSRF/XSS 介紹與防禦方法 https://medium.com/%E7%A2%BC%E8%BE%B2%E8%83%8C%E5%8C%85%E5%AE%A2/cors-csrf-xss-%E4%BB%8B%E7%B4%B9%E8%88%87%E9%98%B2%E7%A6%A6%E6%96%B9%E6%B3%95-a1f5c55d96a1

[2] js 跨域问题 https://zhuanlan.zhihu.com/p/583595367

[3] 驗證與授權 https://www.ithome.com.tw/voice/134389

[4] HTTP Basic Authentication https://matthung0807.blogspot.com/2020/04/http-basic-authentication.html

[5] 是誰在敲打我窗?什麼是 JWT ? https://5xruby.tw/posts/what-is-jwt