Facts About HMGSCRIPT

Moderator: Rathinagiri

User avatar
Roberto Lopez
HMG Founder
Posts: 3876
Joined: Wed Jul 30, 2008 6:43 pm
Has thanked: 12 times
Been thanked: 106 times

Facts About HMGSCRIPT

Post by Roberto Lopez » Mon Dec 15, 2014 7:26 pm

Hi All,

After a little ideas exchange with Angel, I guess that some clarifications about HMGSCRIPT must be done;

1. HMGSCRIPT is a JavaScript library containing a set of functions, that allow us to create web applications, using the same logic as desktop applications.

2. All major web browsers (desktop and mobile) has a JavaScript engine capable of running our HMGSCRIPT apps.

3. HMGSCRIPT is not aimed to create web sites, but web apps.

4. Our application could be in one or more JavaScript (.js) files. These files must be declared in the head section of the html file that will serve as the entry point for our app.

5. The JavaScript code will be automatically loaded, when the user point his browser to our html file serving as our entry-point.

6. Our applications will not have pages. They will have forms (windows) only.

7. Since we will have not pages, will there not page reloads, so, there is no need to use cookies and similar technologies to keep data across server requests.

8. The server requests for data management, are done via AJAX, meaning that the communication works silently in the background, without affecting our GUI.

9. The security scheme is very simple: The user is prompted for an username and password. The data is sent to the server and checked in the users table. If the credentials are ok, the server returns a simple 'OK' to our client app. Then, the username and password are stored in global variables on client. All subsequent requests to the server for data manipulation, will include user credentials, that are checked again in every server data management procedure call, meaning that SERVER PROCEDURES WILL WORK ONLY WHEN VALID USER CREDENTIALS BE SENT WITH EACH REQUEST.

10. In order to enforce security, YOU SHOULD USE CUSTOM SERVER PROCEDURES and not generic ones, since an user with valid credentials, could create a custom client app, to mess with your server, arbitrarily executing data functions like dbquery(), dbdelete(), dbappend() or dbmodify(). THIS IS VALID FOR ANY WEB APP (NOT ONLY HMGSCRIPT ONES). The generic functions mentioned above, must be avoided when security is a concern.

11. Another thing that could be done to enforce security, is to create a 'token' at server login procedure, storing it along the other user data and send it to the client. Then, the client should include it, in all subsequent server procedures calls, along with his username and password, giving an additional security layer. This token should have a limited lifetime.

12. The data management demos are based on Harbour CGI server procedures, but you could use anything you want in the server (ie: PHP+MYSQL). I plan to create a function to make server requests easier, instead of dealing directly with xmlhttprequest, each time, including visual indicators, timeouts handling, etc.

13. I want to keep the library as light and fast as possible, so, I'll try to avoid the incorporation of third party libraries as much as I can, doing only when they do not cause significant impact on performance.

14. Being plain JavaScript, is very likely that HMGSCRIPT work well along other JavaScript libraries of your preference.
Regards/Saludos,

Roberto


(Veritas Filia Temporis)

User avatar
bpd2000
Posts: 911
Joined: Sat Sep 10, 2011 4:07 am
Location: India
Has thanked: 81 times
Been thanked: 15 times

Post by bpd2000 » Tue Dec 16, 2014 4:16 am

Thank you dear for Clarification
BPD
HMG Convert Dream into Reality

User avatar
Rathinagiri
Posts: 5081
Joined: Tue Jul 29, 2008 6:30 pm
DBs Used: MariaDB, SQLite, SQLCipher and MySQL
Location: Sivakasi, India
Has thanked: 90 times
Been thanked: 103 times
Contact:

Post by Rathinagiri » Tue Dec 16, 2014 4:41 am

Gud going Roberto. I think if we can use HPDF to create reports and make it to download it would be great.
East or West HMG is the Best.
South or North HMG is worth.
...the possibilities are endless.

User avatar
serge_girard
Posts: 1698
Joined: Sun Nov 25, 2012 2:44 pm
DBs Used: 1 MySQL - MariaDB
2 DBF
Location: Belgium
Has thanked: 203 times
Been thanked: 31 times
Contact:

Post by serge_girard » Tue Dec 16, 2014 8:55 am

Great Roberto!

Serge

User avatar
vagblad
Posts: 85
Joined: Tue Jun 18, 2013 12:18 pm
DBs Used: MySQL,DBF
Location: Thessaloniki, Greece
Has thanked: 5 times
Been thanked: 4 times

Post by vagblad » Tue Dec 16, 2014 9:27 am

Roberto Lopez wrote:
9. The security scheme is very simple: The user is prompted for an username and password. The data is sent to the server and checked in the users table. If the credentials are ok, the server returns a simple 'OK' to our client app. Then, the username and password are stored in global variables on client. All subsequent requests to the server for data manipulation, will include user credentials, that are checked again in every server data management procedure call, meaning that SERVER PROCEDURES WILL WORK ONLY WHEN VALID USER CREDENTIALS BE SENT WITH EACH REQUEST.

10. In order to enforce security, YOU SHOULD USE CUSTOM SERVER PROCEDURES and not generic ones, since an user with valid credentials, could create a custom client app, to mess with your server, arbitrarily executing data functions like dbquery(), dbdelete(), dbappend() or dbmodify(). THIS IS VALID FOR ANY WEB APP (NOT ONLY HMGSCRIPT ONES). The generic functions mentioned above, must be avoided when security is a concern.

11. Another thing that could be done to enforce security, is to create a 'token' at server login procedure, storing it along the other user data and send it to the client. Then, the client should include it, in all subsequent server procedures calls, along with his username and password, giving an additional security layer. This token should have a limited lifetime.
Thanks Roberto! This looks so interesting.
One question about the security 'tokens'.Is it similar to the PhP 'sessions' or are we talking for a completely different thing here? Because using only the user credentials at every request sounds risky to me as you also pointed out. A 'session' oriented system seems much more bulletproof to me.
Vagelis Prodromidis
Email: vagblad@gmail.com, Skype: vagblad

User avatar
Roberto Lopez
HMG Founder
Posts: 3876
Joined: Wed Jul 30, 2008 6:43 pm
Has thanked: 12 times
Been thanked: 106 times

Post by Roberto Lopez » Tue Dec 16, 2014 6:11 pm

Rathinagiri wrote:Gud going Roberto. I think if we can use HPDF to create reports and make it to download it would be great.
Yes. This is already done in HMGSCRIPT037 (PHP+MYSQL+FPDF) and HMGWEB (with a modified 'stand-alone' version of HPDF).

You can use such code (or part of it) as a starting point.
Regards/Saludos,

Roberto


(Veritas Filia Temporis)

User avatar
Roberto Lopez
HMG Founder
Posts: 3876
Joined: Wed Jul 30, 2008 6:43 pm
Has thanked: 12 times
Been thanked: 106 times

Post by Roberto Lopez » Tue Dec 16, 2014 6:25 pm

vagblad wrote:
Roberto Lopez wrote: Thanks Roberto! This looks so interesting.
One question about the security 'tokens'.Is it similar to the PhP 'sessions' or are we talking for a completely different thing here? Because using only the user credentials at every request sounds risky to me as you also pointed out. A 'session' oriented system seems much more bulletproof to me.
The idea is that the users table should have additional fields for SESION_ID, DATE and TIME.

So, when an user logs in, a random ID is created and saved in the user record, along current date and time.

This ID is sent back to the client as login confirmation. The client stores it in a public variable, visible to all the application.

Then this ID, should be sent along username and password with each further server request.

The ID could expire after a preset elapsed time.

Another (simpler approach) could be use only the SESSIONID for server requests after login (maybe I go with this on future releases).

When the user logs out, or the application is terminated, the variables content will be destroyed.

Consider that the concept of session with HMGSCRIPT, is a little different than with traditional web development, since we have not page reloads on client. Meaning that we can keep variables values on our JavaScript application for all of its 'life'. Server requests (AJAX) will not affect the client state at all.

Moreover, a SESSIONID could be useful (beyond security) depending on your server code design style.

Regarding, specifically to your question, you could make your harbour server code to emulate PHP's concept of 'session variables', to keep data in the server across requests. In its simplest implementation, you could simply have additional fields in the users table, aimed to store session data.
Regards/Saludos,

Roberto


(Veritas Filia Temporis)

User avatar
luisvasquezcl
Posts: 991
Joined: Thu Jul 31, 2008 3:23 am
Location: Chile
Has thanked: 3 times
Been thanked: 10 times
Contact:

Post by luisvasquezcl » Wed Dec 17, 2014 3:34 am

English by google
Hi Roberto,
I have read carefully your ideas and proposals and I think that you have found the path of development of hmgweb. I think it's best to use a html page input and use javascript to do anything else.
In everything I've read made me remember a framework called backbone.js, I recommend taking a look because I think you can get many ideas from there.
Well, I'm with interest the comments.
Best regards,
Luis Vasquez

http://documentcloud.github.io/backbone/

Hola Roberto
He leido con atención tus ideas y propuestas y me parece que has encontrado la ruta de desarrollo de hmgweb. Creo que lo mejor es utilizar una página html de entrada y utilizar javascript para hacer todo lo demás.
En todo lo que he leido me hizo recordar un framework llamado backbone.js, te recomiendo darle una mirada porque creo que podrás sacar muchas ideas de ahi.
bueno, sigo con interés los comentarios.
Saludos cordiales,
Luis Vasquez

User avatar
vagblad
Posts: 85
Joined: Tue Jun 18, 2013 12:18 pm
DBs Used: MySQL,DBF
Location: Thessaloniki, Greece
Has thanked: 5 times
Been thanked: 4 times

Post by vagblad » Wed Dec 17, 2014 9:30 am

Thanks a lot for the clarification Roberto.
I don't know about everyone else but the more i read about this concept of yours the more i get excited.
I looked at the demos you made and i am going to give it a full go during the weekend.

It looks really really promising!A lot of possibilities especially when it reaches the mobile platform full.

Thanks for your hard work again.
Vagelis Prodromidis
Email: vagblad@gmail.com, Skype: vagblad

User avatar
Roberto Lopez
HMG Founder
Posts: 3876
Joined: Wed Jul 30, 2008 6:43 pm
Has thanked: 12 times
Been thanked: 106 times

Post by Roberto Lopez » Sat Dec 20, 2014 3:42 am

To clarify a little more, here is this interesting article:

http://blog.4psa.com/an-intro-into-sing ... tions-spa/
Regards/Saludos,

Roberto


(Veritas Filia Temporis)

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest