ShiftInsert.nl

Coldbox and VueJS untangled

Problem Details for HTTP APIs: Modifying your Coldbox REST handler response

Coldbox had a base handler and response for RESTful services for many years. Initially this was added in application templates but in version 6 this functionality was added to the core. The base handler wraps around your own actions and provides a lot of automatic errorhandling, addition of some development headers and some global headers. By using the default event.getResponse() response (available as prc.response in previous versions) it provides a default response format which looks like this:

{
    "data": {
        "name": "someData"
        "id": "98765",
        "name": "provMan"
    },
    "error": false,
    "pagination": {
         "totalPages": 1,
         "maxRows": 0,
         "offset": 0,
         "page": 1,
         "totalRecords": 0
    },
    "messages": []
}

That’s a lot of different keys for a default response format. The data field makes sense most of the time, and the pagination key (which is new in cb6) can be handy but we don’t use it (yet). The error and messages keys are less useful to us. Let me explain why first, and then I will explain how to modify your responses in coldbox 6.

Continue reading

cbi18n-json-resources: localization with JSON resources

This week I created my first official forgebox package: cbi18n-json-resources , a cbi18n JSON ResourceService. This module tries to improve the cbi18n Ortus module by offering

  • json resource files instead of java resources
  • locales organized by directory instead of partial filenames
  • optional default resource file(s)
  • hierarchical resources, so both en_GB and en_US can be handled by the same resource file, except for the different country-specific translations
  • and an interceptor for missing translations

So why this module instead of improving the cbi18n module itself?

Continue reading

Customize your resource routing in Coldbox

In this post I will show you how coldbox can help you creating resourceful routes, how cbswagger shows me that I don’t want the defaults resource() routing method, and how easy it is to create your own method!

If you want to create a REST API in coldbox, you often need to create a lot of routes for this API. So let’s say you want to create endpoints to list, view, update, create and delete a User resource. Following the coldbox manual, I need to implement the following routes:

Continue reading

Configuring SES URL’s on apache and the Coldbox router.

Often when we deploy a coldbox website we fire up commandbox, create a webserver and put NGINX in front to route our application requests to the correct lucee instance. We never experienced any problems when configuring search engine safe (SES) url’s. Just to remind you: instead of writing this

https://mysite.nl/index.cfm?event=myhandler.myaction

we can rewrite this to something more friendly such as

https://mysite4u.nl/myhandler/myaction

So we proxy our request via Nginx to a lucee coldbox application and use some rewrite rules as described in the coldbox manual. Recently we had a slightly different configuration: apache in front of an old-fashioned standard lucee standard install on Linux. Again, we followed instructions in the same coldbox manual but NO success…

Continue reading

Event.buildLink: query params vs path variables

I had some issues with how event.buildlink() in Coldbox is generating a URL. To understand what’s my problem let me introduce the old-fashioned way to hit a coldbox application

http://mysite.ext/index.cfm?event=user&age=30
or
http://mysite.ext/index.cfm?event=user.index&age=30

With some rewrite magic this last form can be written as

http://mysite.ext/user/index&age=30
or even
http://mysite.ext/user/index/age/30

So all four forms are behaving the same, if you apply the correct rewrite rules in your webserver and the default rules in the Coldbox router. The coldbox manual has some info on rewrites for several webservers. So in most cases the web is rewriting your url’s in such a format that coldbox will receive this:

http://mysite.ext/index.cfm?user/index/age/30

Coldbox itself is smart enough to hand this over to the router, which has some default rules enabled which translate the user/index/age/30 to:

  • event = user.index
  • age=30
Continue reading

Cfcookie or cookieStorage?

Coldbox has the cbstorages module which can be used as an API for accessing persistent storage such as cookie, session, application, cache and more. The question is: why should I use such storage if there is cfcookie or something simple as as session struct?

Let me explain with some code. I was working on updating the cbi18n module where we can use session, client, cookie or request scope to store the currently selected locale. In code this is getting ugly soon, with code like this

switch(instance.localeStorage){
  case "session" : { storage = session; break; }
  case "client"  : { storage = client; break;  }
  case "cookie"  : { storage = cookie; break;  }
  case "request" : { storage = request; break; }
}

and in other places in the code:

<!--- Storage of the Locale in the user storage --->
<cfif instance.localeStorage eq "session">
  <cfset session.DefaultLocale = arguments.locale>
<cfelseif instance.localeStorage eq "client">
  <cfset client.DefaultLocale = arguments.locale>
<cfelseif instance.localeStorage eq "request">
  <cfset request.DefaultLocale = arguments.locale>
<cfelse>
  <cfcookie name="DefaultLocale" value="#arguments.locale#" />
</cfif>
Continue reading

Using bCrypt in cbsecurity

In a previous post I explained why bCrypt is a good choice for hashing your passwords. In this post I will show were you can hash and check your passwords: in your handlers, in a service layer or in some entity model. When using cbsecurity I will show you why it fits best in your service layer or entity model.

But let’s start with some hashing and checking in a handler. Make sure bcrypt is installed by using commandbox and execute the command:

box install bcrypt

Let’s say you want to store your password in a db table. Bcrypt has two important methods for hashing and checking called hashPassword() and checkPassword() but you have to call them on a bcrypt instance, so you can inject bcrypt in a handler:

property name="bCrypt" inject="BCrypt@BCrypt";

or getting your instance directly by calling getInstance("BCrypt@BCrypt"). But you don’t have to do this, by installing the module some mixin helpers are created so you can just call bCryptHash() or bCryptCheck(). These handy functions will be available in all handlers, views, layouts or even interceptors. So let’s say we want to save a user in some handler it will look like this:

Continue reading

cbOrm: populating new objects

In the past I’ve been using cborm a lot, since it makes handling coldfusion (hibernate) ORM so much easier. But lucee support for ORM was less than optimal in a multi-datasource environment, so I decided to rewrite this application more or less according to the fluent API approach as demonstrated by Gavin Pickin at ITB 2020. In this coding style I have two quite efficient ways of populating a new object:

property name="UserService" inject;

//populate
var user = populateModel(
  model=UserService.new(), 
  memento=myUserData 
);

//vs a shorter method
var user = UserService.new( myUserData );

Both should return the same populated user object, but the second one does the population within the new() method, so I got used to using this handy method.

Continue reading

Arguments in arguments…

I have to admit. This is not the most useful post I ever wrote, but today I discovered something funny but interesting when I tried to fix some small bug. I was working with the bcrypt module. If you don’t know what this module is doing: it is a very secure way for hashing passwords, and since checking the validity of your password is relatively slow it is quite useful to prevent password cracking. Before diving into bugfixing let’s see what bcrypt is doing. It is a coldbox module and only has a few relevant functions:

  • hashPassword(password, [ workfactor], [salt]) which generates a password hash based on a salt and a workfactor. If you don’t supply a workFactor or salt, the coldbox module will generate a salt with a default workfactor of 12. The higher the workfactor, the longer it takes to check for a valid password. (on my system a workfactor means it takes 200 milliseconds to check for a valid password.
  • checkPassword( candidate, bCryptHash) will check a password candidate agains a (stored) bcryptHash.
  • generateSalt( workFactor ) will generate a salt, based on a workFactor. Increasing a workfactor by 1 will mean it takes double the time to check your bCryptHash. This way you can prevent password attacks, because generating and checking is relatively slow.
Continue reading

Protecting your passwords with bCrypt.

We all know. We should never ever store a plaintext password in a database. If a hacker gains access to your data you will be in serious trouble. There are many ways to protect your data, but at least you should make sure your passwords are not readable. In the past we did this by some simple hashing, but modern computers are so fast it is easy to do some password cracking. In time it even gets easier because processors are becoming faster and faster. Another disadvantage: simple hashing will reveal some records with the same passwords. These are often the easiest to guess or crack by brute force. So we need something better.

Coldbox has a nice little module called bcrypt, which is just a wrapper to the jBcrypt java library which is a Java™ implementation of OpenBSD’s Blowfish password hashing code. Wikipedia has a nice description of the bcrypt password hashing algoritme. Bcrypt hash some strong points:

  • generating a hash for the same string will always return different results
  • comparing a password candidate with the stored hash is relatively slow, which makes brute force attacks harder.
  • the hash can be generated with different workfactors. The higher the workfactor, the more time it takes to compare your hash with a password candidate. By increasing the workfactor in time you can account for faster processors, so brute-force attacks remain unattractive.
Continue reading
« Older posts

© 2021 ShiftInsert.nl

Theme by Anders NorenUp ↑