Web Development – Clearing Up Misconceptions About Flask Backend and Client-Side Rendering

backendflaskfront-endnode.jsweb-development

I am building a website and along the way I have come across a lot of things I didn't know about and was hoping to get some help in understanding some of them.

I started building a website using Flask and the Jinja templating language. This was very intuitive and easy to understand: client makes a request, server checks all requests are good and then delivers the whole working page in one go.

Then I wanted to upgrade my frontend to use ReactJS. From my research I found that I could still go the server-side rendering route if I used a library like python-react, but I opted for client-side rendering instead. This meant a couple of things

I will need a frontend server (e.g. node.js) to render the frontend
I will need to refactor my Flask backend to behave like an API

So when a client makes a request for, say, the home page, the process will look something like this (if I understand correctly?):

Assuming I am correct up to this point, my question is, how does the above diagram look in the case of submitting a form?

A form requires a CSRF token to be embedded in it when it is rendered, i.e. the token is created on the Frontend Server. But then, how does the Backend verify that token? Does all authentication also need to happen on the Frontend server? I am not clear on how the Frontend and Backend fit together.

Best Answer

You are incorrect about the need for separate front-end and back-end servers. You need only one server, which can be your Flask-based server, that

provides one (static) HTML page when users access the entry-point URL (/home in your diagram)
provides a bunch of (static) JS files for the ReactJS implementation of your front-end
provides an API for the dynamic content of the site.

As there is only one server, the handling of the CSRF tokens shouldn't be an issue.

Related Solutions

CSRF Security – How Frequent Should the Token Updation in CSRF Security Be?

The main point of a CSRF token is that it can't have been sent from another site. So therefore it (a) can't be predicted or detected by an attacker, and (b) is not automatically attached to a request the way a cookie is.

So theoretically if a CSRF token is never disclosed to third parties, again theoretically, you don't have to expire them at all. But then you run the risk of your token getting "leaked" somehow. So your expiry period really should be short enough to combat the prospect of a token getting out and being used against your user.

There aren't really any guidelines, but a good solid techique is to auto-generate a new token on EVERY request which embeds a signed timecode, and then accept tokens up to a certain age.

A sample function might be:

concat(current_time,salt,sha256_sum(concat(salt,userid,current_time,secret_string)))

The token contains timing information and a salt, but also contains a signature which can't be forged and which is tied to the userid.

Then you can define your own expiry interval -- an hour, a day, 2 hours. Whatever. The interval in this case isn't tied to the token, so you're free to set expiry rules however you want to.

At the very least, though, CSRF tokens should expire when the login session expires or when the user logs out. There's no expectation by the user that a form that you brought up BEFORE you logged out will continue to work AFTER you log back in again.

Web Development – Should Frontends Be Rendered Client-Side or Server-Side?

RobertHarvey is totally right: it depends. It could be a good solution but it is a terrible solution also for some projects.

In you question you state:

He has created a small website (there are apparently no dynamic contents)

Based on that he chose the wrong solution. Now you also note that there are animations. So maybe, if those are exceptional, it might be a good solution. Let's state those animation could also be made with normal solutions.

Whether it is good or right is then simple: If it should work like a normal website, so with a good ranking in search engines, good accessibility and all other standard webdevelopers take care of it is just wrong. You build a website with a goal. If that is: Have normal people visit it to subscribe/buy/view etc. it won't meet that goal.

His arguments:

Websites with a high amount of users do this to prevent server overloading.

Yes, but this is a small website right? http://c2.com/cgi/wiki?PrematureOptimization

It is easier to create new sections.

Likely he is unaware of other solutions. No problem, it's his first one. This is something where training / reading could do a lot.

It is easier to translate, as translations, texts and almost everything is loaded from a JSON.

Same here, localisation is something much more complex than just translating some pieces of text anyway. Education is here also the key.

You can expand more sections directly from a JSON file.

Might be correct, seems simple to do. If a user has to do it then it directly becomes more difficult. With a database for example it might be possible to create a form for that.

Everything is smooth, as you don't move to another page.

This is true but not undoable with other solutions. Loading pieces of content with ajax (with changing the browser history) might solve this well. https://developer.mozilla.org/en/docs/DOM/Manipulating_the_browser_history

To take this into a broader level: It is nonsense to build a dedicated framework if it is just a simple site. Use the basics or an existing system for it. On the other side, it's a nice learning experience. We all tried to build a CMS once right? ;) His arguments are not strong, if he want to work more in this area more knowledge would be advisable.

Assuming I am correct up to this point, my question is, how does the above diagram look in the case of submitting a form?

Best Answer

Related Solutions

CSRF Security – How Frequent Should the Token Updation in CSRF Security Be?

Web Development – Should Frontends Be Rendered Client-Side or Server-Side?

Related Topic