8

Just started deal with NodeJS web apps and have a fundamental question.

Since i came from the PHP realm, i know PHP have a built-in HTTP server but no one actually use it and we used nginx and in the prehistoric projects Apache as HTTP server, when i came into ExpressJS i found that all examples talking about listening to the HTTP server that ExpressJS open (via http NodeJS module of-course) but no one talking about use it via FastCGI (nginx -> FastCGI (e.g. node-fastcgi) -> my ExpressJS app) like i used to do with PHP (nginx -> PHP-fpm -> my PHP env) and i wonder why?

As far as i understood, NodeJS app is very fast, non-blocking I/O and so on but there is a security hole using the app like everybody show, since the service that run have same common resources in the JavaScript environment, one user can share by mistake (or not) sensitive information with others, for instance. let's assume the developer made a mistake like this: 

router.post('/set-user-cc', function(res){
    global.user = new User({
        creditCard: req.param('cc')
    });
});

And other user do request like that:

router.get('/get-user-cc', funciton(req, res){
    res.json(global.user);
});

At this point each user will get the user's CC info.

Using my ExpressJS app via FastCGI will open a clean JavaScript environment for each HTTP request and users won't hurt each other.

It'll nice to hear form NodeJS (web) apps experienced developers why no one suggest to use the FastCGI solution (searched on Google and found almost nothing) and if so, why it's too bad?

(p.s. the example is just to demonstrate the problem it's not something that someone actually did, but as we know lot of stupid people exists in the universe :)

Thank you!

Shlomi
  • 3,622
  • 5
  • 23
  • 34
  • It just doesn't make sense. In case of PHP, it's engine makes sure there is no global variables that could be accessible from different requests. Node does not have such feature so you'll have to implement it by yourself. – Alexey Ten May 21 '14 at 09:07

1 Answers1

5

You won't do mistakes like that if you lint your code, run under strict mode, and don't use global variables like that.

Also in nodejs web applications you generally want to make the server stateless and keep all the data in the databases. This would also make it a more scalable architecture.

In applications that are security super important, you can throw heavy fuzzy testing at it to find problems like that too.

If you do all this, plus having a strict code review process, you won't have to worry about it at all.

FastCGI doesn't prevent this problem as a single or a few connections is used to communicate with the server that processes the requests(node.js in this case) and HTTP connections are multiplexed through it. A node.js process will handle multiple requests at a time.

You can potentially somehow make a solution that launches a thread but it'll be a lot slower. In case if you are using node.js for things that are required to be have high reliability or can't afford small mistakes(for example health related devices), node.js is the wrong platform for it.

Farid Nouri Neshat
  • 29,438
  • 6
  • 74
  • 115