I want to protect my admin interface inside nuxt.js.
Protecting the data is easy with an authentication on the API, but i don't want any user to see my admin interface by simply modifying the client side authentication code.
I was thinking about creating a second app only for admin but is there a better way ?
Related
There is plenty of tutorials and articles on this precise question but each one contradict the previous one,
I'm trying to make a signup and login reactJs pages with Firebase js sdk on the frontend, that's what I found most of youtubers devs do,
And then I found that is not secure (doing the authentication on client side).
You should use the Firebase Admin SDK (firebase.google.com/docs/admin/setup) on Firebase Cloud Functions or a self-hosted server in that case. Everything else would just be a dirty hack – PRSHL source
It's not recommended to create admin accounts on the front end as anyone could look into the code and action it themselves. source
I really want to understand if it is not secure to use it on the client side, Why does firebase provided it in the first place ?? or is there another way to properly write the auth using firebase js sdk on the frontend ? of course without using admin sdk
Or should I use firebase js sdk on the backend with express ?
I only want clear and detailed answers please !!
My best guess is that you're confused between authenticating a user client-side and the fact that Firebase provides a client-side SDK for authenticating users.
Though all you have to do to use Firebase Authentication in your app is implement its client-side SDK, there are many more parts involved in the process - and quite a few of them run on secured servers.
It's just that Firebase (and the authentication providers it supports) have implemented the server-side of the authentication process for you already and made the variables parts of the process part of the configuration that you provide either in the Firebase console, the provider's web interface, and/or in the configuration that you specify when you initialize the Firebase SDK in your client-side application code.
From the comments you now added, the second is correct and explains exactly what the risk is:
It's not recommended to create admin accounts on the front end as anyone could look into the code and action it themselves.
So while you can safely create a user account on the client (a process known as authentication), marking them as an admin (a process known as authorization) has to happen in a trusted environment as otherwise any user could make themselves an admin.
I am working on an angular application that uses keycloak-angular package for authentication. I want to add a feature which would allow a public user to access the protected resources and for that I have thought to create a default user and use a specific url to log in with that default user and access the protected resources, but I am not able to find a way to supply login credentials and login manually rather than redirecting to the auth/realm page and ask user to login. How do I do that?
If you configure your client to use direct grant you'll be able to get an access token with a simple POST request.
Form an Oauth perspective this is the Resource Owner Password Credentials flow.
Direct grant come with several drawbacks and you might want to
Deploy two instances of your front-end application with separate clients in order to avoid leaking your "more secured" client credentials.
Implement role scope mappings limitations for the "direct grant" public client.
Another easier solution would be to make public resources... public. Assuming you are using some REST API you don't have to protect all endpoints with Keycloak.
Example: with Keycloak Spring Security adapter that'd be something like .antMatchers("/public/*").permitAll()
I'm working on a website where the user needs to log in to view the content. I'm working with react for the frontend and i'm using node to develop the API. I'm trying to protect my pages with a json web token, this way once the user logs into, the server gives a jwt which the frontend asks for to let the user to continue navigating or otherwise redirecting him to the login.
I know the server needs to verify the token, and i know i can create a middleware and implementing it to my API routes to achieve this. But my question is, if in the page i want to display i don't need to call any API route how can i verify the token?
I mean, should i create a route only to verify the token? or there is better way to do it?
Any suggestion or code example is welcome.
I suggest to use backend for token verification it is easier to manage in long run and safer. For example , if you use hmacsha256 signature , you have to leak your private key to client side for token verification. For client side identity verification, i suggest work with server side rendering instead to limit access to the protected part of website.
Iam building a School Management web application and wanted to include multiple authentication.
My idea is first to authenticate the school and then the users such as admin,teacher and staff of that particular school.
Is there any way to implement this using nodejs and express. By the way I have used passport to authenticate a user already (without school authentication) and want to build upon that.
Am I wrong to think of having multiple nested authentication?
And how would I go about implementing if possible?
Multiple authentication is redundant. You can use single authentication and role based access to ensure right resources are accessed by right person.
In your case no need to authenticate a school. Just authenticate the user, check which school the user belongs and allow access to those resources.
When a user authenticates on my app (by Google plus) I want to create a row in a Users table by the server side. I would not know how to do.
I think there is a function that is called when a users is authenticated.
My app is a mobile app with JavaScript back-end (Node.js).
I don't know of a callback that happens on successful authentication, but an easier way to implement this would be to require authentication on all of your endpoints, and then add the user information to a table if it doesn't already exist.
See this article for information on how to get user details in your Node.js app: How to: Require Authentication for access to tables.