User Authentication on Github Pages - javascript

I am trying to build a website on GitHub pages. This website will have User Authentication ( think of Login ). Each user will have some private pages which only he is able to access. Since GitHub only allows Static Sites, I am unsure if this is even possible here.
Since I am a complete novice to website development I don't know how this will work/ whether this will even work ?
I know that GitHub Pages do not support PHP but they do support JavaScript, thus is there any way possible for this to be implemented ( even if it includes using third party apps/ websites )?

I don't think it's possible.
GitHub only allows Static Sites
So you won't be able to store any user sessions on Github. There's likely something "creative" you can do to manage users or sessions using Javascript and/or by making requests to 3rd party sites but it's likely not going to be worth the effort, especially if you are a complete novice to web development.
Many web hosting providers offer free or trial accounts, I would suggest trying those or running a VM locally while you learn.

Related

What are the risks to deploying my nodejs app on a web server like siteground as opposed to an internal server?

I have just built a nodejs app (with HTML/JavaScript/css) to handle (among other things) workflow management for my business. I am currently running it on a local computer on the network so it is accessible to all the staff who connected to office WiFi.
So that staff can access the system from outside the office I’m considering grabbing a cheap URL and deploying it on a web server (siteground specifically because I have a reseller account there). However because this is the first web app I’ve built from the ground up I just know there are going to be security vulnerabilities and the like in my coding.
The kind of data that is included in the MongoDB database is fairly basic, just customer/supplier contact information and product information.
How dangerous is it for me to do this, is it something I should worry about or should I be okay? I don’t plan to have it indexed by search engines, it’s only for staff use so I don’t need customers to be able to find it.
Appreciate any insight from people who have been doing this longer than I have.
Thanks in advance!

How does Google's analytics.js authenticate the hostname?

I'm building JS-only plugin which will be implemented on multiple websites, each website having its own unique ID, which is passed to a Rails API along with some other data. My API will verify the hostname and ID provided by the JS plugin - but these things can of course be seen and used to fake impressions or events by anyone.
As far as I'm aware, there is no foolproof way of authenticating a website without an invisible, server-side key. That said, how does Google do it?
Analytics requires no server-side implementation, only an ID, which it of course checks against the hostname. Does this not mean that page views and events can be faked by a third party, and if so, why isn't it a prevalent issue?
Thanks in advance

Javascript: Is a “static site, editable content” blogging system a realistic use for the GitHub API?

I am working on a GitHub gist based blogging system that will allow a static site hosted on github pages to be editable on the go. That way you can edit/correct typos/post by creating and editing gists with gist.github.com interface rather than having to have development environment set up, regenerating the site, and pushing.
Because it needs to be static, I’m writing it in (plain) Javascript.
From what I understand the API only allows a limited number of requests without authentication.
Is there a way that I can:
- Use client-side javascript
- Let visitors view the blog an unlimited number of times
- Have the blog author authenticate, but not everyone viewing it
I only need to read from the API, not write; editing is done using GitHub’s interface.
This will be a plain JS app that GitHub users host on github pages, so I’m not sure how authentication could be done securely.
Is this a feasible thing to do?

How to implement a web widget with OAuth 2.0

I want to create a web widget that will display information from my site.
The widget will be included in the client's website HTML using JavaScript, and should only be usable for my clients -- web sites that were registered at my site.
The information in the widget should be specific to the user who is currently visiting the client's site.
So, I need to authenticate both the client (website owner) and the resource owner (website visitor). This seems to map nicely to OAuth 2.0, but I couldn't find a complete example or explanation for such an implementation.
Any resources or pointers to such information will be appreciated.
Update: I've stumbled upon this article, which provides an outline for an approach that uses OAuth. However, it is not detailed enough for me to really understand how to use this with OAuth 2.
There are many large organizations that have done this, and I'm sad to see no other answers for this question since it's such an important web pattern.
I'm going to presume that you are not rolling your own OAuth 2.0 provider from scratch, if you are - well done otherwise you should be using something kickass like Doorkeeper to do this for you.
Now, in OAuth 2.0 you have the following entities:
Users registered on your website
Applications registered on your website (who subscribe to your oauth2)
User Permissions which is a list of Applications that a user has 'allowed'
Developer (who is consuming your auth API / widgets and building an Application)
The first thing to note is you must have a domain name associated with each Application. So if a developer registers for a API token / secret on your website, the Application he creates is mapped to a unique domain.
Now, I presume that the flow for an application to authenticate users via your website is already clear. That being said, you don't need to do much for this to work.
When an Application sends the user to your website (in order to sign in) you place a session cookie on the user's computer. Lets call this "Cookie-X".
Now the user is authenticated by your website and goes back to the Application. There we want to show a custom widget with information pertaining to that user.
The developer will be need to copy paste some code into this app.
The flow is like this:
The code will contain a url to your website with his Application ID (not secret) which he got when registering his application on your website.
When that code runs, it will ping your website with his appId. You need to check that AppID with your database, and additionally check that the referrer url is from the same domain as that which is registered in your website for that AppID. Edit: Alternatively or additionally, the code can check for document.domain and include it in the ping to your website, allowing you to verify that the request has come from the domain that has registered with the given AppID.
If that is correct, you reply back with some JS code.
Your JS code looks for the session cookie your website had set when the user had signed in. If that cookie is found, it pings back to your website with the session and your website responds with the custom view content.
Edit: as rightfully mentioned in a comment, the cookie should be HttpOnly to safeguard against common XSS attacks.
Additional Notes
The reasons this is a secure approach:
The AppId and domain name are a good enough combination to verify that other people are not fetching this information. Even thou the appId is visible in the applications html source, the domain name would have to be spoofed by anyone attempting to use someone else's AppID.
Presuming someone takes an AppID which is not his, and writes code to spoof the domain name of the referrer when requesting for your widget, he still won't be able to see any information. Since you are showing user specific information, the widget will only render if your website can find the session cookie it placed on the users browser which can't really be spoofed. There are ways around like session-hijacking, etc. But I think that's beyond the scope of this question.
Other Methods
Just by looking at Facebook's Social Plugins, you can tell that there are other options.
For example, one might be to use an Iframe. If you ask the developer to add an Iframe to his application, you can even reduce a few of the steps mentioned above. But you will have to add JS along with it (outside the iframe) to grab the correct domain, etc. And ofcourse from an accessibility and interface standpoint I'm not very found of Iframes.

Online Database WebApp / Service

i'm experimenting by mounting a website hosted on my Dropbox Public folder. Files can my accesed and I used my domain name to redirect to de index.html public url.
I can run javascript, bootstrap, jquery and that stuff but not php (for obvious security reasons of dropbox).
I would like to save data from the website. We all know that JScript is not allowed to write files or anything outsite the browser or the webpage itself.
I've been searching for a webapp/service that provides me a database or something like that let me save data from javascript. Somethingthat get connected to my host and gives me an API to the service or something like that.
Anyone heard about something like this? Or any other way I can get data saved? (serializing a JS object to a file would be just enought to me)
From experience,
If you stick with trying to host something on Dropbox or anything that was not purpose meant for that, you will continually run into problems like this.
In the end spending (wasting) more time, energy and money on workarounds, rather than having fun in a real hosted environment (cloud based is more fun than DB!)
Do yourself a favor and move to a hosting platform, and spend that energy more wisely in creating a website or product (maybe that will make you money even)
There are plenty of free hosting platforms to get your started.
A quick serach on Google:
http://appfog.com/
https://pagodabox.com/

Categories

Resources