This might seem OT, but I looked at Wix Support articles before I wrote this. There is no info to be found on cron-jobs, which is natural: only Wix Code pages that DO something can be the subject of a cron-job.
I have an account on https://cron-job.org. I can put in a URL to a page and done. But that is not what I want. Ideally, I would like to run the cron-job with admin credentials (which would also allow me to run the backend jsw-code with those credentials too).
Thing is, I think I will never be able to store login credentials (username/password) on the cron-server: do not have access to it, physically. And option 2 that wix offers is a password protection on a page, without user name.
In short, does anybody have any experience with this and how to solve it? I am rather virginate to the whole subject.
PS Admin logs on with a Google±account.
Giri – I am actually working on the same thing. Perhaps we can bring our brain power together.
My objective is to update my datasets on a daily basis using a CRON call. I was able to bypass your problem by just switching the permissions on my dataset so that anyone can update. I feel like this is probably unsecure though?
I use easycron.com and they actually have an option to add http authentication credentials in the CRON call. Is this what we would need? I am confused though, should we add admin credentials and it will just automatically work or do we need to prompt login in the backend code??
Keep me posted on your progress
Following up on my own post here. What if you used the Wix API to suppress auth. That may work.
Hi David, sorry to get back to you with some delay. Your first solution, lifting access rights when page is called is flimsy. You could hide the page, but if you call it up only once by hand and make the mistake of calling up, from that tab, another website, the referrer in the http header will give you away and page will no longer be secret.
Your second option is what I’m thinking of also. Check from which domain or IP the request is coming from and then lift access. Still flimsy. 1. The get might come from another domain or IP than the one you signed up on. The Cron service might use a variety of clusters. How do you white list all good access points? 2. What prevents somebody else to schedule a Cron job from that domain or ip? The check mark " I promise I am the owner or I have permission" certainly won’t.
Also looked up htaccess, but Wix doesn’t support it. In short, I’m stuck for now. I can get a Cron job running, but security will be criminally low. I will ponder upon it some more. Usually, just before I go to sleep, it all makes sense to me. Remembering it in the morning of another thing. Appreciate your input, looks like we are more or less at the same point: site done, now the maintenance part. Let’s try to come up with something decent.
Giri – I’ll definitely keep you posted if I solve this issue.
Selfishly, you brought up another point that I am really curious your input on. As you call it, “flimsy”. I am about 80% done with my website, so I am getting close to launch. However, before I found Wix Code I had literally never created, designed or coded in my entire life. Now, I feel I can make some pretty sophisticated stuff. So, major props to Wix. The problem is, I am DEEPLY concerned that my site has these “flimsy” vulnerabilities. My priority up until now was learning to create and code from scratch, not maintenance and vulnerability testing.
Since I have no background in this, I am worried that I don’t know, what I don’t know. Do you have any good resources on key items I would need to true up before launching a website with all the sophisticated features we use? If not, any chance you could high level common risks or areas that absolutely should generally be controlled when showing to public?
If you can help here, would be forever thankful! And happy to pay forward any knowledge I can help with on our end.
Thanks!
David, I pondered about this before going to bed. If I ever had to form a development team again, you would be on my shortlist. I have followed your progress and contributions (like Stripe) and you are one of the most conscientious developers on this forum, one that gets results, checks answers and tries to do a good job.
I understand your hesitations, it´s not the first time you wrote something like this ( a week or 2 ago I picked one up on this forum ). Don´t eat yourself up about it. All you can do is try your best, you certainly did. We all went thru that “first release” stress: will it work, will they like it, haven´t I screwed up somewhere in such a major way that I will be called a charlatan forever? So now you have to go thru it too. It´s normal, you need that nervousness to keep you alert. And it will go away after a while.
Now about Wix Code. I can only give you my own contemplations regarding security. This was my first project in Wix and I would a couple of things differently for a next one. I would no longer give away code, field and table names, queries, etc in the front end code (=anything you type inside the page onReady). Instead, I would write all backend code regarding queries, with Admin rights, and any request I would first check if the user was valid and then pass on the request to the backend module, lift restriction with “options” and only return the resultset, which the frontend code would just merely display. The reason for this is that I feel uncomfortable giving away all this info. Somewhere in the documentation I remember reading that this could “pose a security risk”. When the developers of a framework start writing this, you should take this seriously.
Also,I do not know what you do with Stripe data and if Stripe even lets you, but storing credit card info yourself in asking for trouble. Just don´t do it, then it can never be breached.
This will be of little help to you, I know, but as I started writing: don´´t eat yourself up, just stay alert.
Giri, sorry for late response here, been crazy busy! Nothing major but Just wanted to say thank you. First off extremely flattering especially coming from you as I have also seen what you post on these forums and am very impressed. Regarding the insights, that is actually hugely helpful! Basically I just needed some high level direction on the topic, once I know the basics I can research or figure out the details myself.
Thanks again!
David, kind words, thanks. Still working on the cron. I finally took the decision to whitelist an IP-address (or block), since they had them published. I do my access checking in a backend module with admin rights. Will let you know how it went, still testing.
About common errors: I realized I forgot 3:
- sanitizing input: this is not necessary in Wix, they do it for you (like checking for sql-injection)
- preventing URL-substitution. The most common way of gaining illegal access to a form/db is changing something in the browser´s URL like somepage?key=12345. By changing that by hand, one usually gains access if not checked. I had this in my project where I create the rows to display properties. Then users only add info (data, pic, etc). So i cannot rely on check on Creator (dataset), since that is always me.
But you have to do something, because every Member technically has access. So I did a check on email address, which I set per row and check with useremail.
- cross-side scripting: Javascipt front end scripting is unavailable in Wix, only in the html-component. There is is sanitized for you also.
But something tells me you already had these things covered.
Good luck, talk soon.
1 Like
Interesting! Ok so no I actually didn’t directly know about any of these things, so that’s excellent and much appreciated. I had roughly considered some of this stuff, but didn’t know how common or likely it was. Feel free to keep posting anything else that comes to mind.
Thanks!