I am creating a "masquerade" admin log in system where admins can log into different user's accounts.
I am using a passport/express authentication system. I am trying to figure out a way to sign into another user's account while they are signed in as an admin.
My current strategy is to modify the req.user object and switch the password and username on the user object, then forward the modified user object to the login function in order to sign in as a different user. Is this possible or should I find a different way about this?
Thank you!
I assume you are using express-session.When you are serializing user, what happens is that express-session put your user info into your session.You can change the info that you re putting in your session. You might add something like "currentAccount" if the user is admin. If admin changes to a user account, you may also create a new session with a new account or you might looking for a cookie/session manupilation library and change info in the current session. With deserializing, you can reach session info in your req.session.passport and your currentAccount info will be also in req.session.passport
Related
I am creating a login for my chrome extension where I am going to be using the firebase email and password.
I am going to be putting the create User firebase code on my website and when someone can enter in there email and the script will create a random set of digits and set that as the password. It will then email that password to the user and the user uses the email he entered and the random digit password he received via email to login.
My question is If a user signs up and then logs in with his email and password. Whats to stop him from giving that email and password to his friend and he also logs in. I want to control the amount of users I allow within my chrome extension and only want the person who logged in to use the chrome extension (I want so the login can only be used once) Is this possible for firebase or not?
Also If anyone knows a simpler method than that I described above with sending the email please let me know becuase to do that above I have to create something that sends an email and creates the password.
I would also like to know if firebase has something where I can set a date on a user and after that date passes the user is logged out and has to register again.
But my main question is that if a user where to register if he has the ability to share the login with his friend or if only he can use it.
I really appreciate your reply and help on my issue in advance Thanks A lot.
You'll likely have to do this from the server side (e.g. in a Cloud Function).
One option would be to use the session management features in the auth admin SDK: https://firebase.google.com/docs/auth/admin/manage-sessions - if you report back from the extension with the logged in user, you can revoke access for users who are seen in too many places at the same time. This limit might not be 1 - you may want to allow your users to log in on multiple machines at once.
For even more control, look at the option for managing your own session cookie: https://firebase.google.com/docs/auth/admin/manage-cookies - this allows you to set your own expiry and control the logged in state more granularly.
I am integrating FB Login in my website. For this purpose I am using Javascript SDK. Here are the steps which I am trying to follow.
User clicks on FB Login option, user is shown with POP UP by FB to enter his credentials.
FB sends response which includes accessToken, expire time etc.
After this user will see registration form dedicated to my website filled with email and other basic entries. He has to just choose some username and then click on signup.
As soon as user clicks on signup his details will be stored into DB, his username will be kept in session and he is signed in now.
User logs-out. Now, user again clicks on FB Login, if there is email already present in DB I am making the user log into my website by putting his username in session.
Here, are my questions now.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
Also, is there a need to store access token in cookie/session?
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
As far as I know once access token expires Javascript SDK will generate new access token. So, if user logs in after a long time then this validation might not be applicable.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
No, if you are not planning to do any automated tasks for the user with your server. In this case you'd need to change the access token to a long-lived token, but that's another thread.
Also, is there a need to store access token in cookie/session?
No, Facebook's JS SDK does all the access token handling for you.
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
No. You can save the Facebook User ID to your database, which is more constant than the email. Email can change, user id does not. So you should compare the user ID.
And just as a side-note:
Facebook also has a server-side login flow that should be used to authenticate the user. If you just use JS SDK to authenticate the user, it would be relatively easy to log in as any user imaginable from the client.
I'm having some trouble wrapping my head around Facebook login coupled with my api security-wise for a webapp I'm creating. What do I need to store in my database, ID, token, something hashed etc? My flow so far is as follows:
When a user visit my app they see a welcome text with a button saying "Login with Facebook".
They hit the Facebook-button, if the user do not exist a new row is created in the database. For now I'm storing the user's Facebook name, id and a hashed token with the combination of the two. And then store a cookie with the token.
If the user return later to visit the app, they get redirected to the app without going through the Facebook login, because the token is stored in the cookie, and the user is found in the database based on it.
If the user return to the app without a the cookie token. The user has to hit the login with Facebook-button again, but now the user exist in the database and based on the name and id, I can find the user and return the token for a cookie.
Step 4 however seem a bit unsecure. Based on the name and id I can find a token of a user and set it in my cookie, granted I know (or can find?) the name and the id of that user I want to exploit.
This is my flow. Am I approaching this wrong, do I have to use the Facebook SDK C# in my Web API for server-side validation regarding a access token of some sort?
Any tips, hints or pointers to another flow is very welcome aswell.
Here is my desired flow:
I am trying to remove a user programatically from my firebase. The method removeuser takes 2 arguments, email and password. Now email is not hard to find out since this is stored in the auth variable + I am adding it in my database when a user is created. However, how am I supposed to find out the password from the user?
When I create a user I do add the generated md5_hash information with this user in my database. However, I can not convert this value back to the real password.
I also obviously do not want to store the real password in the database since this is just asking for problems.
So I'm wondering, is there anything overly obvious I am missing here on how to remove a user programatically from the database, with his password? (Why do I actually even need his password to remove him?)
EDIT: To clarify, I am only allowing an admin to delete users, so he has a list of every user that has been created in my firebase. Having a user delete his own user account is still not so easy since (I presume) the firebase hashing algorithm is not public, so there's no way for me to check if he did input the correct password.
Firebase Simple Login is a service built on-top of Firebase Custom Login, and provides useful primitives for authenticating users via common means.
By design, Firebase Simple Login does not give you access to the users' passwords programmatically, as it only increases the risk that they are not handled or stored securely. Today, the only two methods that can be used to remove an email / password hash mapping is either via the client API using the email and password, or via the admin panel at https://<YOUR-FIREBASE>.firebaseio.com.
Keep in mind that when using email / password login, Firebase Simple Login simply creates a new mapping between an email address and a password hash, but does not store any information in your Firebase. Also note that there is no way to "blacklist" a user id, so if you remove the mapping, the user could re-create it.
If you want to ban / block users, a better approach would be to create a new list in Firebase of your "blacklisted" users, and then use security rules to ensure that that user is in the list (i.e. user is blocked if root.child('blocked-users').hasChild(auth.uid)).
I want to implement something similar to what Digg has done.
When the user logs in for the first time, I want it to force them to create an account on my site.
More importantly I want to know how to log a user into my site when they login with facebook connect. If they login with facebook connect, they still haven't provided me the password to their account on my site, so I can't use username/password to log them into my site. How do they do this on Digg or sites similar to this?
Facebook's process flow can definitely be a bit confusing. Take a step back from the details and the API, and look at the overall flow here:
Facebook Connect will tell you that a user is logged into Facebook, and give you their Facebook ID. You can validate that ID against Facebook using Facebook Connect to make sure it is properly logged in. Once this is done, you don't need a user name and password. As long as you trust that Facebook has authenticated the person properly, they are the only ones that can come to your site using that Facebook ID. That is enough information to start an authenticated session based around a local account that is associated with that ID.
The process you should follow is like this:
User logs in to your site with
Facebook Connect for the first time
You notice that you don't have a local account associated with that
Facebook ID, and prompt them to
enter local account information
You save that information along with their Facebook ID
The next time you see that Facebook ID (and validate that it is
logged into Facebook using the
Facebook API), you can start up a
local session using the associated
account.
Basically you end up with two separate methods of authentication: a Facebook Connect ID check, or the regular username/password login on your site. Either one should have the end result of starting a local authenticated session.
Hope that helps.