TodoMVC, Rdbhost style

The TodoMVC project was created to help people choose a JavaScript MVC framework.  It includes a couple dozen implementations of the same HTML5 app, a Todo list.   Each implementation uses a different JavaScript framework.  Each of them uses the browser's localstorage for Todo storage, avoiding any specific back-end dependence.

Rdbhost has its own version of this TodoMVC project.  Here, the intention is to show how each framework can be used with the Rdbhost.com backend.   So far, I have implemented versions for the most popular 5 frameworks, AngularJS, Backbone, KnockoutJS, Ember and CanJS.   I may add more in time.

Each back-end interface is fairly minimal;  For AngularJS and KnockoutJS, it uses a singleton blob in the database for all Todo records.  Backbone, Ember and CanJS have a CRUD type back-end interface, and for each of those, I created a table with one record per Todo, and a CRUD-style client-side adapter to put and get data.  Each framework project includes a page 'initialize.html', that requests the Rdbhost account password, gets the super authcode with that, and sets up the necessary tables.

AngularJS seems to include an integrated backend data retrieval API, and I may re-implement the AngularJS TodoMVC to use a more sophisticated approach.


Find the working site at:  http://todomvc.rdbhost.com .
Code is at: https://github.com/rdbhost/todomvc .

Enjoy

#nobackend

#nobackend

The 'nobackend' meme has gotten some discussion among the G+ and twitter accounts I follow.  I was excited at initial review, as it seemed to be very inline with Rdbhost's goal of enabling Web App development without any server coding.

On further examination, I found the key documents to be hazier then I had briefly hoped;  the expressed goal is to incite discussion on the objective of writing front-end code 'without thinking about the back-end'.

Rdbhost's power is in moving the critical custom back end design elements, such as database schema and database queries, to the front-end.  Moving them to the front-end is more pragmatic than ignoring them altogether, though perhaps less appealing to many front-end devs.  ;)

Nonetheless, I want Rdbhost.com to be part of the discussion, so I have implemented their sample app, an html5  invoicing app, using Rdbhost as the backend.  Read about the reference app, and the while #nobackend promise, at nobackend.org.

The Rdbhost version of the app is at http://invoice.rdbhost.com ,  and the source is at http://github.com/rdbhost/EditableInvoice .  The entire code base for the app is in that Github repository. There was *no* code deployed to the server in support of this specific app.

I used OpenId as the only login option.  The code to setup the necessary server-side tables is in /initialize.html .

Find the JavaScript API at: github.com/rdbhost/Rdb.Js/.

David Keeney

The Rdbhost server was upgraded this weekend.

Now, it supports Postgresql 9.2.   Aside from the general goodness of having the latest version available, this version supports some new embedded languages.  The new languages are not available just yet on rdbhost, but stay tuned.

David
dkeeney@rdbhost.com

Attention Rdbhost Clients

If you have an active JavaScript application relying on an Rdbhost.com account, you should consider upgrading your app, to use current libraries.

If you are using jquery.rdbhost.exdm.js from www.rdbhost.com, loaded by your app from our server, and you do not use the openId log-in methods, and you use a recent version of jquery (>= 1.5) then you are probably ok as-is.  Your app will load the current version, and all is well.  Please check, this week, and again next week, to verify correct behavior.

Otherwise, upgrade.  Use either the current jquery.rdbhost.exdm.js from our server, or get the current version from our github repository.  Load it after a recent version of jQuery (version >= 1.5).

The compelling reason to upgrade is that server-side support for cookie processing is being dropped soon.  The protocol included the ability to interpolate cookie values into queries, as a convenience to the programmer.  Unfortunately, this facilitates clients creating Cross-Site-Forged-Request (CSFR) vulnerabilities.   So, to avoid this hazard, I re-coded the JavaScript module to handle cookies client-side.  Now, it converts the cookie tokens into regular named parameters, and adds the cookie values to the named parameters hash. Now, the server should never see cookie tokens in any query, and in a week or so, the server side support will be dropped.

Other than this, there are numerous improvements.  OpenId logins work better now, as a reliance on iframes has been removed.  The Rdbhost jQuery plugin methods now return Deferred promises, as appropriate;  this behavior is similar to current jQuery ajax behavior.  You (the account owner) can now login to your account via an API call.

Cookies are Harmful (in single-page apps)

Do not use cookies in your single-page app.

At least, don't have your server use cookies from your single-page app.  Having the app write a cookie provides some state persistence when the user insists on rattling the reload button.  The server should ignore the cookie, relying only on input submitted with each request explicitly.

Cookies are obsolete, dating from the early 1990s, when Netscape invented them to add state to a stateless protocol.   Their purpose was, and is, to allow the server to track a user session between page requests.

Your single-page app has no use for cookies.  Just keep state in variables and in the DOM in the browser, and send the authentication with each and every ajax request.  It is simple, reliable, and safe.

Why the fuss?  Well, using cookies (or web server authentication, for that matter) sets your application up for a cross-site-request-forgery  (CSRF) attack.   You don't want that.    A CSRF attack involves another website 's page secretly submitting a request to your site, using passive authentication credentials stored in the user's browser, to do things within the users account on your site without the user's knowledge or approval.

The way to avoid CSRF attacks is simply to avoid passive authentication methods, such as cookies or web server authentication.  I call these passive, because they do not require explicit inclusion in a given request; the browser automatically adds them to any request on your site.  The absence of passive authentication credentials means no successful CSRF attack is possible.

We should consider cookies obsolete and dangerous, in the context of any single page app, and single-page apps are where the web is, now, in 2013.

OK, maybe your website is a small collection of single-page apps, and needs to maintain session between these multiple apps;  if so, then maybe you need to use cookies to maintain state, but don't tell the server.  One app can create a cookie client-side, and the browser will make it available to all single-page apps on the domain.  The apps know user session state from the browser cookie.  That the cookie gets sent to the server regularly is merely an undesirable side effect, and that side effect can be ignored.  Just don't read that cookie in any server code; it cant be used in a CSRF attack if the server refuses to recognize it.  If your app is an html5 app, not needing legacy compatibility, then use web databases or some cookie alternative that doesn't get sent to the server.

There is a common counter-CSRF technique that calls for including some arbitrary value in both a cookie and either the request header or request fields.  If you can put the cookie content into the request in addition to the cookie, you can put the content in the request instead of the cookie.

Cookies are bad for your single page app.  Avoid them.

Indexing AJAX content

Search Engines

One of the more compelling reasons to stay server-side and avoid putting all business logic on the client is the matter of search engines.   Google and the other search engines have not traditionally indexed dynamic content, as they don't run the client side JavaScript necessary to realize the dynamic content.

We now support the search engine indexing of AJAX pages, so this reason is now not so compelling.

Ajax Indexing

A year or so ago, Google introduced the Ajax crawling specification, which described a cooperative method where the site can enable indexing of dynamic content by Google.  Basically, Google interprets hash-bang '#!' hash fragments, where it finds them while scanning html, as a request for special treatment; the special treatment is to rephrase the URL replacing the fragment with a specially named GET parameter carrying the fragment value.  The site can then generate, server-side, a version of the page containing the content, for Google to index.  In Google's search listings, the fragment is again a hash fragment.

Rdbhost now provides the server-side component of the Ajax indexing process, for any site hosted on Rdbhost.  Use the '#!' prefix for your internal links, Google will request them with the special '_escaped_fragment_' parameter, and Rdbhost will use a server-side 'headless' browser to generate a content-full version of your page for Google.

Ease of Implementation

Rdbhost intends to make easy web-sites as easy as possible; now we make Ajax-content index able with no effort to you.  The only requirement of you is that you use the '#!' notation for your internal links.

See for Yourself

You can verify this yourself, by entering such a URL in the browser.  If the link is 'http://demos.noservercoding.com/hashtest.html#showmore', the special request URL would be 'http://demos.noservercoding.com/hashtest.html?_escaped_fragment_=showmore', and requesting that URL with your browser will provide a pre-rendered page.  Use 'show source' with each version of the URL will show the difference.

Links:
  Ajax Client-Side Version
  Server-Side Version

Easier Hosting

There are a couple of new features to tell you about this week;  One will be discussed here today, and the other will be in another post in a couple of days.

Rdbhost has always been flexible about where you can host your website's static files:  You can host them on any static server, including free servers, on Localhost for development, and even on GitHub or Assembla for git-commit ease of deployment.  Your SQL database account can be accessed using the JavaScript/jQuery module, from any host.

Static Hosting

You can also host your static content here at Rdbhost.  While we do not make file space available to our customers (we are a Database hosting service!), we do provide a facility to put file contents into database blobs, and those blobs can be retrieved using natural short URLs.  Your static content can be hosted in static 'pseudo-file's, and the dynamic content in SQL database tables.

SFTP Server

The new feature makes these pseudo files easier to manage.  We now support an SFTP server, for managing your static content.   This server is on port 24 at www.rdbhost.com, and functions like any other SFTP server, except that the files you manipulate are actually just blobs in the pseudofiles table.  The server also uses 'magic' to determine the correct mime-type for the content you store; when you retrieve the blobs from a browser or other web client, the stored mime-type is sent as the Content-Type header.


The SFTP server uses account and password logins only; the login is your Super role-name (such as 's0000000907'), and the corresponding authcode.  These are available on your Roles page.  To create the 'lookup.pseudofiles' table to start, enter a domain alias from the profile page;  You should have a domain registered for the new site.  Setting the domain alias tells Rdbhost.com that you intend to serve static content under that domain.

Quirks

In minor ways, this SFTP server is different than others you have use.

The server will maintain empty directories during an SFTP session, but they are forgotten at the end of the session.  Similarly, file attributes can be changed, but the changes are forgotten at the end of the session; the 'files' are always readable to the public, and writable by the Super account only (unless you have granted specific privileges otherwise).

Testing

The SFTP client has been tested with the following clients:
   WinSCP 5.1.2
   Expandrive 2.4.0
   CoreFTP LE 2.2
   BitKinex 3.2.3


The RdbAdmin utility is an alternative way to enter data into the psuedofiles table.

See User Domains
       RdbAdmin Video
       SFTP Server