Building an npm search bot with WhatsApp and Twilio
The npm ecosystem is vast by now with almost 750k packages published. Naturally, you’ll find yourself often trying to look up a package you don’t remember. The npm search is great for that but what if you just want to quickly look up a package on the go? Let’s build a bot that can look up the packages for us using Twilio’s API for WhatsApp integration.
Just like with Twilio Programmable SMS we’ll need a webhook that will respond to incoming HTTP requests with every message sent to our WhatsApp bot. The webhook then has to reply with TwiML to reply to these messages.
We’ll build our webhook using Twilio Functions. This allows us to write Node.js code and host it in a serverless function directly on Twilio.
To get started make sure you have:
- A Twilio account (sign up for a ...
Serving Coffee with Twilio Programmable SMS and React
For the last couple of years we’ve started serving coffee at various events using Twilio Barista, combining different Twilio APIs, such as Programmable SMS, Twilio Sync, and other web technologies. This way you can send an SMS to order your coffee, and get notified as soon as your coffee has been prepared by the barista.
On the birthday of the HTCPCP we figured it’s time to teach ...
Creating and Publishing Web Components with Stencil
Web Components is a technology I’ve been excited about for years. The idea is that you can create your own UI components that are supported in the browser regardless of which framework you are using (or none at all for that matter). However, there wasn’t much traction around them until recently.
The web components APIs are pretty low level by themselves but projects like Polymer are trying to improve the developer experience and recently more tools came along to help with authoring web components. One of these tools is Stencil from the Ionic team.
If you are not yet familiar with web components, I suggest you check out this short introduction on webcomponents.org to get an idea of Custom Elements and Shadow DOM. If you want to have a better idea of why web components might be of interest for you, even if you don’t author ...
Going surfing – Protect your Node.js app from Cross-Site Request Forgery
Cross Site Request Forgery aka CSRF/XSRF (read C-Surf). They are used by attackers to perform requests on behalf of users in your application without them noticing. Let’s look at how they can pull this off and how we can protect our applications from these type of threat.One classic attack when working with web applications is
Let’s talk theory
Before we can prevent CSRF attacks we need to understand how they work. Typically these attacks are executed on the functionality of web applications that use form-based submissions like
POSTrequests and cookie-based authentication.
An attacker places a hidden form into their malicious page that automatically performs a
POSTrequest to your page’s endpoint. The browser then automatically sends all the cookies stored for that page along with the request. If a user is logged into a current session, the attacker could, for example, post a message ...
Putting the helmet on – Securing your Express app
Express is a great way to build a web server using Node.js. It’s easy to get started with and allows you to configure and extend it easily thanks to its concept of middleware. While there are a variety of frameworks to create web applications in Node.js, my first choice is always Express. However, out of the box Express doesn’t adhere to all security best practices. Let’s look at how we can use modules like
helmetto improve the security of an application.
Before we get started make sure you have Node.js and npm (or yarn) installed. You can find the download and installation instructions on the Node.js website.
We’ll work on a new project but you can also apply these features to your existing project.
Start a new project in your command line by running:
mkdir secure-express-demo cd ...
Sharing information between different devices in real-time is difficult but with Twilio Sync it’s just a matter of a few lines of code. To see how Sync works let’s create our own version of the TodoMVC application using Twilio Sync to store our data and share it across multiple devices.
We’ll base our version on a copy of the Vanilla JS version of TodoMVC and alter the storage that is currently local storage to Twilio Sync. However, you can use the same code with your favorite framework as well.
Before we get started make sure that you got the following things:
- Node.js with npm installed. You can find the instructions to install on their website.
- A Twilio Account. Sign up for free.
Start by cloning the template branch of this repository and install the dependencies:
git clone -b template https://github.com/dkundel/todomvc-twilio-sync.git ...
Working with Environment Variables in Node.js
Working with environment variables is a great way to configure different aspects of your Node.js application. Many cloud hosts (Heroku, Azure, AWS, now.sh, etc.) and Node.js modules use environment variables. Hosts, for example, will set a
PORTvariable that specifies on which port the server should listen to properly work. Modules might have different behaviors (like logging) depending on the value of
Here are some of my tricks and tools when working with environment variables in Node.js.
Accessing environment variables in Node.js is supported right out of the box. When your Node.js process boots up it will automatically provide access to all existing environment variables by creating an
envobject as property of the
processglobal object. If you want to take a peek at the object run the the Node.js REPL with
nodein your command-line and type ...
JS 💖 Hardware – Getting started with Nodebots and Johnny-Five
The option we’ll use is the npm module
johnny-five. Johnny-Five isn’t limited to certain hardware but instead supports a wide range of different microcontroller platforms (including the Tessel) using various I/O plug-ins. The ...
Scan your projects for crossenv and other malicious npm packages
On August 1st, Oscar Bolmsten tweeted about how he found a malicious npm package called
crossenvthat scans for environment variables and
POSTs them to a server.
— Oscar Bolmsten (@o_cee) August 1, 2017
This is particularly dangerous considering that you might have secret credentials for different services stored in your environment variables. Apparently it’s also not limited to just
crossenv, but a series of packages — all of them are names of popular modules with small typos such as missing hyphens.
Check your project for malicious packages
These packages have been taken down by
npm, but since credential theft happens upon installation, you should check if you have installed one of them. Ivan Akulov was so kind to compose and publish a list of ...