When user login, I set
req.session.username = "....";
So, we can know this session has username
But how do I detect if this username is already logged in from another computer and logout (delete session) that another computer
On the server simply create a hash that contains a list of logged in users and the session they are currently using. Store this hash wherever you store stuff (SQL DB, NOSQL DB, flat file, in memory DB, etc).
Upon login, do a quick look at that list (pseudo code):
if( user in logged in list)
delete the session listed for that user
otherwise
create the session
log session into logged in user list
Simple.
I don't think there is a sure way to detect if the user makes a request from another computer. You can use http header User-Agent but if both computers have exactly the same user agent and version you would still see them as same.
Using IP is even more error prone because multiple devices may just use same WIFI router or proxy that doesn't set HTTP_FORWARDED_FOR.
However; if a user tries to start a new session (log in) using a user name that already exist you can either refuse the new session or destroy the old one.
You need to maintain a list of active sessions in array or redis.
Since you will retrieve the user details when they try to login, you can add a property, loggedIn, which will be a Boolean with a default value of false in the user schema.
Now you can append an extra control-flow within your login middleware to determine if the user is logged-in or not:
/** Check if user is already logged in */
if (user.loggedIn) {
let error = {
status: 401,
message: 'user already logged in. '
+ 'Please request a password reset if you suspect this is not you.'
}
return next(error);
}
// if not, log user in, set the `loggedIn` flag to true and move on.
And whenever the user logs out, reset the loggedIn flag to false.
Related
I have managed to setup a custom login system using Firebase. The user enters email/password and is redirected to the main page(which is private). I am having issue with onAuthStateChanged after logging in. When I check the auth state after logging into the main page, i get invalid user (null). The firebase dashboard shows I have logged in successfully but onAuthStateChanged is the opposite.
I am trying to check if a user is logged in to my html pages, if not I want to redirect them to the login page. I like how the authentication works in firebase but I need to protect my html pages not my divs (which is what the vast majority of firebase auth tutorials show).
If anyone has an easier way to password protect a web directory that looks nicer than HTaccess, please advise (I am not crazy about using wordpress for password protection, but its an option). Otherwise, I guess I will have to do this in PHP. Thanks in advance!
(function () {
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
// User is signed in.
console.log(user);
console.log('A user is logged in.');
} else {
// No user is signed in.
console.log('Invalid user. Redirecting to root.');
window.location.replace('../index.html');
}
});
})();
If you navigate to a new page, Firebase will have to initialize again. As part of that it will try to restore the user's authentication state, but this requires a call to the server which takes time.
For that reason the onAuthStateChanged listener will initially fire with null as the current user (and auth.currentUser is set to null). Then once the user is signed in, the listener fires again with the user object for that user.
If you want to detect this initial state, you can either store some token value in the browser's local storage that you can check for yourself on the new page, or you could set a time-out for when you expect the user to be re-signed in and only then navigate away to the index.html page.
I have following flow for my sign up process:
User fills out details and signs up (gets send verification email)
After this user is logged in, but sees a screen asking to for email verification
User verifies their email and goes back to app
At this stage how can I get new user data that will have emailVerified field without logging user out?
I expected auth().onAuthStateChanged to be fired once emailVerified changes to true, but that does not happen, nor can I find any refresh function in firebase docs to get this data manually.
Only way I can get that new value for emailVerified is by loging out and loging back in, but ideally would like to avoid this.
update: this is using JavaScript SDK
Based on android I did
firebase.auth().currentUser.reload().then(() => {
console.log(firebase.auth().currentUser)
})
this returns updated information about the user, I couldn't find this anywhere in the docs for some reason
I want to check if the username and password which is in a database are correct.
For this i made a javascript function.
function checkLogin() {
username = (document.getElementById('login').value
password = document.getElementById('password').value)
if (username == db.Membership.select(username)){
alert("it exists")
So this function gets called everytime when someone clicks on Log in after they have entered their details. Is it possible to check if username and password are correct?
In web2py, db.Membership.select(username) is Python code and must be run on the server in a model or controller (or module) -- it is not Javascript and cannot be run in the browser.
Furthermore, it doesn't make sense to simply check in the browser whether a user's login credentials are valid because (a) you need to know on the server whether a user is logged in (in order to control access to functions and resources on the server) and (b) an attacker could simply run some Javascript in the browser console to fake a valid login.
In web2py, a user's logged in status is stored in the session, which is either stored on the server (in a file or in the database) or in an encrypted and signed cookie (which cannot be altered from the client side). The authentication itself must happen on the server (so it cannot be faked).
If you want to log a user in, you should use the standard login mechanism. If you want the login submission to be handled via Ajax, you can post the credentials to a web2py controller function, and in the controller, you can call auth.login_bare(username, password), which will either log in the user (i.e., update the session to indicate login) or return False if the login fails.
I'm doing a javascript single-page app which allows people to log in, either via twitter or (for some use cases) anonymously.
A very important thing to figure out was how to let them reload the page -- this shouldn't force them to log back in!
I figured this out pretty quickly for the twitter login, and so it uses cookie-stored information to log back in (specifically, the user_id, oauth_token and oauth_token_secret).
However, I can't seem to make this work with the anonymous login facility.
I tried:
auth.login("anonymous", {
user_id: #get("userId"),
firebase_auth_token: #get("firebaseAuthToken")
});
but it doesn't work... I get a new anonymous user ID. I want to keep the same one for the duration of the user's browser session.
And yeah, I tried both user_id and id, firebaseAuthToken and firebase_auth_token.
Thanks!
By default, sessions are created any time you successfully log in a user, and last up until the session expiration time configured under the 'Auth' tab in Forge. This built-in sessioning applies to all Simple Login authentication types, and is automatic as long as local storage and cookies are available.
To resume a session, simply instantiate the FirebaseSimpleLogin object with a Firebase reference and callback. If a local session exists, the callback will be invoked with the same payload you would see if you had just logged the user in for the first time. Invoking the login method will always generate a brand new auth. flow regardless of current user authentication state or session.
Note that in anonymous auth, once a user session expires it cannot be recovered. This may change in the future or some additional functionality may be added to enable it, but it is currently only logged-in to once per user id.
I am using facebook connect and authenticate the user with it.
For each user, there is session key that expire after X minutes. How can I get the user session after the session is over ?
I tried-
FB.Connect.requireSession();
but I don't want to use this function because it pops up the facebook connect
username and password. I want to get the user session without him to reenter his username and password/ and I dont want to ask for infinity session.
You have to prompt for extended permissions with offline access. When this is completed facebook gives you a special infinite session key which you need to save and use when you want to act on that user's behalf.
FB.Connect.showPermissionDialog("offline_access", function(result){
//callback function when users accepts extended permissions
});
http://wiki.developers.facebook.com/index.php/JS_API_M_FB.Connect.ShowPermissionDialog