I am using react for frontend, nodejs as backend and passport-google-oauth2 for authenticating users with googles oauth api.
When a user logs in, I create a new user or I find an existing user, set a cookie to know that the user is logged in.
The problem is in development I am using webpack development server and a node server. Therefore the cookies arent saved properly. I have tried using proxies in the development server but I haven't got it to work.
What is best practice here? Am I not supposed to use cookies?
Thanks in advance.
Related
There is plenty of tutorials and articles on this precise question but each one contradict the previous one,
I'm trying to make a signup and login reactJs pages with Firebase js sdk on the frontend, that's what I found most of youtubers devs do,
And then I found that is not secure (doing the authentication on client side).
You should use the Firebase Admin SDK (firebase.google.com/docs/admin/setup) on Firebase Cloud Functions or a self-hosted server in that case. Everything else would just be a dirty hack – PRSHL source
It's not recommended to create admin accounts on the front end as anyone could look into the code and action it themselves. source
I really want to understand if it is not secure to use it on the client side, Why does firebase provided it in the first place ?? or is there another way to properly write the auth using firebase js sdk on the frontend ? of course without using admin sdk
Or should I use firebase js sdk on the backend with express ?
I only want clear and detailed answers please !!
My best guess is that you're confused between authenticating a user client-side and the fact that Firebase provides a client-side SDK for authenticating users.
Though all you have to do to use Firebase Authentication in your app is implement its client-side SDK, there are many more parts involved in the process - and quite a few of them run on secured servers.
It's just that Firebase (and the authentication providers it supports) have implemented the server-side of the authentication process for you already and made the variables parts of the process part of the configuration that you provide either in the Firebase console, the provider's web interface, and/or in the configuration that you specify when you initialize the Firebase SDK in your client-side application code.
From the comments you now added, the second is correct and explains exactly what the risk is:
It's not recommended to create admin accounts on the front end as anyone could look into the code and action it themselves.
So while you can safely create a user account on the client (a process known as authentication), marking them as an admin (a process known as authorization) has to happen in a trusted environment as otherwise any user could make themselves an admin.
While building my website I decided to use JWT for the authentication feature. In the front-end I have React and in back-end Express server with Postgres database.
Right now when user tries to log in, I verify his credentials against the database and then issue a token, which then is stored in http-only cookie in the browser.
However right now I'm struggling with some front-end problems. I need to have some sort of 'CurrentUser' object on the client side. The problem is that I can't decode token and retrieve data from it using React, since it is http-only. I could additionally send user credentials along with the token and then store them in local/session storage, but that doesn't seem secure to me.
Perhaps I misunderstand something about the applications of JWT, if so, could you please correct me and give some advice about how I should handle my authentication ?
I have a server running node.js and my client-side is in ember.js.
I'm trying to implement a login system but there is not much on the interner about these two tools working together. I've got a simple authentication system
But what I need to do is the $_SESSION part like in php.
I can login and get my information right away but I don't know how to remain logged in to forbid/allow to go trough certain pages. I need some cookies or something but not quite seeing how I'm going to do this with these two tools.
Thanks in advance
Here are two examples of handling sessions/authentication and login in ember
https://github.com/embercasts/authentication-part-1
https://github.com/embercasts/authentication-part-2
here is a ember-addon
https://github.com/Vestorly/torii
you can store the session token in a cookie, so that when the page is closed the application can retrieve it.
you can send the session token to your nodejs api to authorize the user to whatever resources you are using
I am building a webapp with Nodejs and installing phpBB on an Apache server that will be on a the same domain (ie: node = myapp.com, forum = forum.myapp.com).
I want the node app to authenticate with phpbb. I am not the most familiar with sessions, can anyone point me in the right direction on how I would use the session that is returned from phpbb to verify authentication for the node app?
So the workflow would be like node/myapp.com -> login form on myapp.com -> authenticate phpbb/forum.myapp.com = both myapp.com and forum.myapp.com are logged into phpbb.
You can log a user in effectively by creating a session record for them in the phpbb_session table and then adding the appropriate cookies under the domain phpBB3 will go looking for them in.
Those two steps is all it takes to actually "log-in" a user to phpBB3. Note: this circumvents all password protection.
If you want to actually authenticate the user/password against the data in the phpBB3 database then you'll have to go look at the authentication module, if I recall correctly they use a uniquely-salted SHA2-based algorithm of their own.
I'm building a chrome extension that facilitates the creation of contacts straight from the browser without needing to go to my devise-powered rails app itself. Contacts#Create requires authentication so I'm wondering how I can do send authenticated requests from the extension.
I've enabled devise TokenAuthenticatable and so my users have an authtoken. I've written a method in my extensions js that posts to my rails app's contacts#create action. For testing, I've simply hard coded my own auth token in, which seems to work. But how can the extension access the auth tokens for users? It doesn't seem right/secure to store this token into a cookie.
I think I'm supposed to use chrome.cookies to access and do something with my app's session info somehow. But I only get a sessionID here.
any help appreciated!
Although not from a chrome extension, I was building something similar that would work from terminal. I ended up bypassing devise and creating by own token authentication that would allow users to access just the one controller#action I needed. That way you can minimize the damage if the token gets stolen.
So anyway, I would allow users to generate (and regenerate) tokens within the rails app interface and make it so that the extension asks for the token on the very first launch. I'd store the token itself in localStorage.
You can also check authentifiation_tokenstored in your app cookie.
You can achieve this using the chrome.cookies.getAll() method detailed here - https://developer.chrome.com/extensions/cookies#method-getAll