I am learning to code and am attempting to build a to do web application in node using Express (I think that's the right wording).
I have a table('users') in postgresql which stores user_id,email and password.
When a user logs in to the website I want to loop through the table and ensure the email exists and it matches the password and then the user can log in and when they're logged in - their unique user_id is assigned and brings up their previous to do lists.. I would like to incorporate knex also if possible.
I am at a loss how to do this and would appreciate any tips/pointing in the right direction.
Thanks
Try something basic first
SELECT
user_id
FROM users
WHERE
email = _your_user_email
AND password = _your_user_password;
If the result you get back contains user_id or whatever you want returned, then the user exists. You can expand on this further by checking for email, and let the user know that the email exists but the password is incorrect, etc. Try the simple method first and see if this meet your need.
First of all, I would recommend you to name your id field for your users table as id.
It is best practice to name id fields as id and reference columns as <tablename>_id
(eg. table clothes.id unique identifier for iter and clothes.user_id – foreign key to table users).
Secondly, it is highly NOT recommended to store your passwords as raw data inside of the database (security reasons).
It is a common practice to keep user passwords as hashed data.
For example, take a look at bcrypt package.
To select users (there is no such thing as "loop" in terms of database, it is called "query") you need to
create a query like
select
id,
email,
<any_other_field_you_need>
from
users
where
email = 'your#email.com'
and password = 'your password hash'
In terms of knex it can be written
knex('users')
.select(['id', 'email', '<any_other_field_you_need>'])
.where('email', 'your#email.com')
.where('password', 'your password hash')
Your query params (email, password) you can get from express body.
Make sure you are using POST HTTP method to send your request and pass your data as a body.
In case you don't know express – it's an npm package.
It helps in the creation of web-services. They have a hello world guide on their
official website. Feel free to check it out. Or just simply google "express tutorial for beginner" there are a lot of great tutorials over the internet about it. It's quite popular.
Related
Users are login using Cognito to our app and the email is used as username.
The PM asked for the option to change username but, seems like AWS doesn't give that option.
const res = await cognito.adminUpdateUserAttributes({UserPoolId:userPoolId, Username:body.uuid, UserAttributes:[{Name:'email', Value:body.newEmail}]}).promise();
return createResponse(200, 'ok');
Now it returns empty response without errors but I don't see the user email changed, I also tried to add email_verified:true but nothing happened. Anyone knows a workaround?
1.Only option for you to do here is either migrate to a new pool while migrating change the username.
2.If you want to change the login username continuously you can use username or preferred username as alias for the cognito. There is option while configuring and cannot be changed after pool is created.
So after a user has presses the register button, I want to send the data to a cloud function called Register().
The data that I send is first name, last name, date of birth etc.
I form the username by lower-casing the first name and last name and then joining them up. I want to check if the username exists, then add a number until unique username created. If the username does not exist (meaning its unique), create user account with email and password and store data in firestore.
I check if username exists by a username collection in Firestore with all taken usernames.
Right now the way I do this is with a while async loop at the client side but I want to move this to cloud functions for more security. I tried using the same method with async while loop but firebase cloud functions does not accept await in loops.
Any ideas on how to do this? Perhaps recursion? Any help would be much appreciated :)
How do I find a subcollection based on a field value? I am currently using this code but it doesnt work:
var user = db()
.collection('myCollection')
.doc()
.collection('private')
.where("nam", "==", this.state.passcode);
What I am trying to achieve is making a custom authentication, so giving a custom username and password to users (in this case just a passcode). So I decided to store those credentials in a separate sub-collection inside a document. How can a user authenticate by comparing the values of username and password with the ones of a sub-collection?
Another question, is sub-collection for credentials a good idea? Will it cost the same to me as if I would store those info in the document?
First of all, what you're doing right now is not secure at all. You should never store user credentials in a database, especially not one that's directly accessible to your web and mobile clients. To do this properly, you should be making use of Firebase Authentication to sign in users. (You tagged this question firebase-authentication, which refers to that product.) In fact, doing security properly is very difficult. Firebase Auth will make sure everything is done correctly.
Secondly, the query you have now will never yield any documents. That's because you're not passing anything to doc(), which means it will return a DocumentReference to a non-existent document with a random ID. If you meant to have some sort of unique identifier for each user, perhaps that's something you would want to pass to doc() so that each user's subcollection would be correctly identified.
I have a universal used_id that will be used in brain socket (https://github.com/BrainBoxLabs/brain-socket) in Laravel like this:
window.userId = {{ $user->id }};
This will be used when receiving notifications,messages,etc. Problem is, since it is JS, window.userId can be edited in the DOM (like using firebug). So the user can get notifications from other users, which should not be.
Are there any countermeasures for this? (I'm using Sentry Package to get the user id)
I've been thinking to use unique channels for each user instead, based on their ID, but will that be overkill? And i still have no idea how to do this in laravel?
You can't prevent users to edit javascript. You should use a specific kind of ID that we name "token", it's a key with a lot of every character, it's prevent users to guess the token of an other user.
You have "uniquid" who return a unique string, based on time, it can be guessed, but you can use it to assert unicity of your token. You can add informations such as user id, name, random string, maybe some salt, and then hash it.
You can use hash function
http://php.net/manual/en/function.hash.php
or mcrypt (you'd better use this one) :
http://php.net/manual/en/book.mcrypt.php
I'm wondering if any Node/Express gurus could give me a little advice on if the following scenario that I'm trying to achieve is possible. I think it is, I'm just a little unsure on the best-practise way to tackle the problem.
I'm currently in the process of building a small client that will be protected. To gain access to the following the following steps must occur:
Input name + email address in a form that then sends this data in an email to an admin.
The email will containing a prebuilt link containing query params of the data that was input into the field. The link will have an API URL prior to the query params.
When the link is clicked an API request will be performed that takes the query params (mainly the email address) and grants this email address access to the client for a specific period of time such as 2 hours.
The client will go to subdomain.domain.com, enter their email address (which gets validated to check that an admin has approved the email address) and have access to the client for 2 hours. There will also be a timer with the remainding session length.
The majority of this I can take care of but I thought I'd give you an insight in to the full picture of what it is I'm trying to achieve. The part that I have queries about is section 3 and giving an email address access to the client for a specific period of time. I don't want any passwords to be involved so what is the most-secure, more-advisable solution to this? Would I have to use tokens?
I will be building the server-side using Express unless I strictly have to use Node for whatever reason.
Thanks in advance!
When the admin approves the request, the api inserts a row into a db (mongo would be easy) which expires in 2 hours (or however long). Next, when the user goes to the subdomain, they enter their email address. Your express app checks if the email is in mongo. If it is, they have access. You can stick their email in a cookie and check it that way on future requests.