I am trying to use a Node.js payment SDK on my API (running on Express). The problem is, after validating the card details and beginning the transaction, an OTP is sent to the user from his/her bank. The payment process depends on this otp to complete the payment. How do I allow the user to pass this in while the request is ongoing (using req.body), or is there a better way to do this?
For reference purposes, please check this link.
You could use body-parser, a middle ware package meant for these kind of problems.
https://expressjs.com/en/resources/middleware/body-parser.html
https://www.npmjs.com/package/body-parser
Here are the links on express' docs and npm.
Related
I want to provide my application's users the ability to add a second factor of Authentication and I'm currently using Firebase for logging and signing in new users. Firebase already lets you use a second factor but your only possibility is to send an SMS to a verified phone number. I want to replace this second factor with Authy OneTouch so I was wondering what's the best practice in this case.
Right now here's how I authenticate my users:
An user logs in using a form in my client. Under the hood I'm using signInWithEmailAndPassword, retrieving the IDToken from Firebase and setting persistence to NONE.
The client sends a post request to my backend attaching the IdToken and singOut immediately after.
If the token is valid, the server will provide an HttpOnly session cookie storing that token that will be sent along with future requests to my backend to keep track of the user's authentication state.
How I plan to change my workflow:
Through the profile page, the user may or may not opt-in for the second auth factor.
On user opting in I'll send a request to my server and it will call setCustomUserClaims to attach a custom mfa claim and do the necessary steps to register a new user on Authy.
On logging in I access the claim calling getIdTokenResult and access tokenResult.claims.mfa. If it doesn't exist then the process goes as the previous list. Otherwise I log the user out, ask him/her to go through the second factor, and regularly poll a specific URL that Authy provides to get updates on the status of the second factor challenge.
When I detect that the second factor challenge was successfully completed I send a post request to my backend attaching the idToken I got from Firebase and relevant infos I got from Authy's response.
The backend verifies if the idToken is valid (to make sure the email-password challenge was previously performed), then proceeds to generate a custom token with Firebase user's uuid, email, password, mfa-status using createCustomToken, then performs a signInWithCustomToken and sets a session cookie in the response.
Is my idea fundamentally correct? In case does Firebase provide a way to customize its default second factor and I just missed it? Thanks.
While Firebase Authentications's paid brethren Google Cloud Identity Platform does offer 2FA with SMS, neither of them currently provides an option to use/require a custom second factor for authenticating a user.
It's a common request though, so I recommend filing a feature request for it.
Until the feature is added to Firebase itself, the only way you can do something like that is through a custom provider, which allows you (but also requires you) to take control of the auth flow yourself.
In my project I need to link an existing email account whithout the user signed in.
I have the user's email, so I'm trying this code:
firebase.auth().getUserByEmail(useremail);
on the client side.
But it gives me the firebase.auth(...).getUserByEmail is not a function error.
Does anyone know how to get the user by email address on the client side so I can link the accounts, the existing one and the providers?
Thanks in advance.
Using sdk 17.4.5
For web clients, firebase.auth() returns an Auth object. As you can see from the API documentation, there is no getUserByEmail method. on it. You're probably looking at the API documentation for Auth from the Firebase Admin SDK, which does not work on web clients. It only works on backends running nodejs.
If you want to use getUserByEmail, you'll need to run it on a backend, and invoke that from your web client.
You should know that linking user accounts does actually require the use of this method. You link accounts after the user has signed in to both of them.
Hi I tried this module to communicate with Infusionsoft: https://www.npmjs.com/package/passport-infusionsoft but somehow, when I tried to run it (using the samples on the npm module) by running it here and also on my local node app (same code) nothing happens. Upon reading the documentation: https://developer.infusionsoft.com/authentication/#request-access-token, there are things that are not clear such as:
Once the user has logged into their Infusionsoft account and authorized your application, they will be redirected back to your application at your specified redirect_uri with a code URL parameter that is used to request an access token. Redirect users to https://signin.infusionsoft.com/app/oauth/authorize along with the required parameters in order to start the OAuth exchange.
Based on the steps provided by the documentation and the samples of the node module, how can I use them all together? I apologize since I'm not sure of the entire process. The goal is I need to at least get the token from the Infusionsoft after I submit the clientID and clientSecret. What is the difference of the callback and the redirect URL? If there are more understandable samples, please help me..
Assume the following RESTful scenario:
service 1 wants to create a new item in the database of service 2. Unfortunately service 2 is behind a login route (npm passport module).
Service 1 needs to pass/hop over the login route to reach the route for creating this item (post /items/).
My question is now:
Do I first need to access the /login/ route with its credentials to then proceed with the routes behind it?
When I use the browser webapp version, the browser stores the cookie after logging in. Then I can click a "create new item" button to store it in the DB.
But how can I tell my javascript code that, after logging in I am still the valid user? This is really not clear to me.
I intentially did not post any code snippets yet, because first I need to understand it.
I hope this is a more usual "problem" others also had before.
Many thanks!
The answer you are looking for is JWT (JSON Web Tokens). when logging in, your REST API should return a JWT. And the frontend should use that JWT to call the other REST API endpoints. For more information on how to use these in a NodeJs environment, you can check the following articles.
https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens
The internet is filled with guides about JWT. Just read some of them for the actual implementation details.
I've a requirement to integrate Auth0 in our project (Reactjs/Hapijs/MySQL). I checked the documentation and they have many examples and that is great, however, I can't find any related to how exactly do I use my existing user database.
In my application I have users and those users can have one or more projects. With the authorization that we currently use, a user logs in, I check what projects does he own and send it to the React application.
I am missing a document that explains me how to use Auth0 and still be able to check in my database what projects user owns.
My idea on how that should work (I might be wrong):
User sends username and password to our server
Our server makes request to Auth0 (with provided credentials)
Auth0 replies back to our server with some token
We look in users table in our database and try to verify the existence of that user
If it is a match then we simply look (as we already do) for user projects.
Is this how it is supposed to work?
There are a few options available for scenarios where you want to integrate Auth0 with applications that already have existing user databases. You can either:
continue to use your existing store
progressively migrate your users from your custom store to the Auth0 store
You don't mention it explicitly, but judging from your expected flow it seems you would be wanting to implement the first option. There is specific documentation that you can follow that explain how you can setup your custom database connection, see Authenticate Users with Username and Password using a Custom Database. It mentions MySQL, but others database servers are supported and there are many templates that will allow you to quickly setup things.
When you complete this the final flow will be the following:
Using either Auth0 authentication libraries (Lock) or your custom UI you'll ask the user for their credentials
Either Lock or your custom UI submits the credentials to Auth0 authentication API
Auth0 authentication API validates the credentials by calling scripts that execute against your custom database (these scripts were provided by you when you configured the database connection)
If the credentials are valid the Authentication API will return a token to the calling application that will have user information and proves the users is who he say he is.
The scripts you need to provide are the following, but only one is mandatory:
Login script (executed each time a user attempts to login) (mandatory)
Create user script
Verify email script
Change password script
Delete user script
The optional scripts are only required when you want to provide the associated functionality through Auth0 libraries, if only need the login to work then you can skip them. The login script, in the case of a valid user, is also where you return the profile information of the user, for example, you could in theory include their owned projects in the user profile.