I want to invite a new user (that not used the website before) to edit an existing Firebase record. (edit record of a location where I know the email address of the owner).
What is a possible approach?
Saving records should be generally protected by rules: email is verfified(!) and userId corresponds to a field in the record.
I could manually set up the user with password and random password first and save the userid in the record. But I do not see a way to set the email as verified (to allow later saving)? Even if I could, how do I sent a link to a user so he can sign in with his user credential.
There might be another way that I do not see. I would appreciate some direction. Thanks!
Related
I'm new to Next JS and this is my first time using Next Auth for authorization. I'm using the GitHub Provider and the Email Provider for authorization purpose in my app. For my app, I need the users to have a fullname and a username but I'm not able to figure out how to do it as I only get name and profile picture (from GitHub Provider, I get only email when using the Email Provider), and email. I want the user to be redirected to a page where they fill out a form with their fullname and a username, and only then I want the user object to be saved in the database. I'm using MongoDB here.
I created a login portal that we use for many applications.
This is not the standard login form, with 2 inputs, one for username and one for password.
It is a single page application, with this structure:
Initial page: input field for email
Once the user enters the email and continues, 2 thing can happen:
email is not valid (we do an API call to check if the email is present in our DB), in this case you get an error message
email is valid, and now you are presented with multiple buttons, one
of them is "login with password" (because the user can also login for
example with Office365, where we redirect the user on Microsoft
page).
if "login with password" is chosen, a input of type="password" is
now visible
Finally the user presses "login" and if the password is correct, he's now logged in.
This all happens in a single .html/.ts file, all done with ngIf to show and hide parts.
I want to implement that when the user successfully logs in with the password, the browser will ask if he wants to save the combination of username + password, but I don't know how, usually I know it works when both input fields (username and password) are one under the other, but in my case, not sure what to do!
edit: I saw that on Chrome there is a flag to allow : Username-first-flow, which by the description looks like what I want, so there should be a way to implement what I m looking for
My guess would be to not save the combination in the browser.
You should instead create a token in your back end upon successful login, then return it to the client, save it in a cookie that has flags secure and samesite to strict.
This token then can be used upon user return to authentify and thus skipping your login process.
Read more on auth process here: https://auth0.com/
The combination will get saved on a click of a submit button, so if you can like put the username in localStorage then when the user chose the password and fill it correctly you simply trigger a submit event but the form has to have the username input and the password input inside of it so this work. Any question?
I need to get the current user’s credentials ( user id & password ) and compare it to the custom user id field and password field from a suitelet. Is there a way to do this?
Appreciate all your help!
You can get the current user's id (email) with nlapiGetContext().getUser() in 1.0 or runtime.getCurrentUser() in 2.0. However you cannot get the user's password for obvious security reasons.
So I am sending an invite to an email address for the person to click on a to respond. They could click on the href or cut and paste it in the browser. I want to ensure that only the original person I sent the mail to is the one responding. So no forwarding of the invitation or sharing the link. I know I could put the target email address in the href as a return parameter but that could be manipulated. Is there a secure way to store the target email address in the link to be returned?
EDIT:
So I know I can just send a confirm email after the person accept the invite and register. I can also save the original email address and force the invitee to use that to register then send a verification email but all this seems very round about is there a more efficient way of doing this?
You can ensure that the person responding to the invite doesn't claim you sent the invite to someone else by (when you send the invite email):
generating a unique token
storing that token in your database alongside the email address
using that token to identify the email address when the invitation is accepted
However, as you said, the email can be forwarded. If you send an invitation to Alice and she forwards it to Bob, then there is nothing stopping Bob accepting it on Alice's behalf.
You can warn Alice, in the email, that the link is private and should not be forwarded.
Since the invitation will be associated with Alice's email address, if she ignores that advice, then she will still be able to use any password reset features you implement to gain control from Bob.
You can also send Alice a "You accepted the invitation. If this was a mistake, click here to cancel." email.
Yes, there is.
But how you choose to implement it is up to you. I would personally one-way hash the Email with etc sha256. You could lets say, base it on the database users following things.
User id
Email
Send timestamp
So you would have a string like:
1234-user#domain.tld-1528789712
And so on, the combination of things to put together and then hash is up to you. Granted, don't just hash the email as-is - Then it's still easy to "manipulate". Don't forget to save the hash in your database to, so you can work with it later or at least make sure that the things your have in your string can be recalled later on.
So you would include something like this in both your tracking pixel and href link. (I assume you have a tracking pixel as well, so you can track when they open the email but perhaps don't click the link)
?source=ba1159374805fb1c3129afd4811c7be072bd9205d88237c8a957a1dfdf6dd00c
Hope that helps.
I am learning to code and am attempting to build a to do web application in node using Express (I think that's the right wording).
I have a table('users') in postgresql which stores user_id,email and password.
When a user logs in to the website I want to loop through the table and ensure the email exists and it matches the password and then the user can log in and when they're logged in - their unique user_id is assigned and brings up their previous to do lists.. I would like to incorporate knex also if possible.
I am at a loss how to do this and would appreciate any tips/pointing in the right direction.
Thanks
Try something basic first
SELECT
user_id
FROM users
WHERE
email = _your_user_email
AND password = _your_user_password;
If the result you get back contains user_id or whatever you want returned, then the user exists. You can expand on this further by checking for email, and let the user know that the email exists but the password is incorrect, etc. Try the simple method first and see if this meet your need.
First of all, I would recommend you to name your id field for your users table as id.
It is best practice to name id fields as id and reference columns as <tablename>_id
(eg. table clothes.id unique identifier for iter and clothes.user_id – foreign key to table users).
Secondly, it is highly NOT recommended to store your passwords as raw data inside of the database (security reasons).
It is a common practice to keep user passwords as hashed data.
For example, take a look at bcrypt package.
To select users (there is no such thing as "loop" in terms of database, it is called "query") you need to
create a query like
select
id,
email,
<any_other_field_you_need>
from
users
where
email = 'your#email.com'
and password = 'your password hash'
In terms of knex it can be written
knex('users')
.select(['id', 'email', '<any_other_field_you_need>'])
.where('email', 'your#email.com')
.where('password', 'your password hash')
Your query params (email, password) you can get from express body.
Make sure you are using POST HTTP method to send your request and pass your data as a body.
In case you don't know express – it's an npm package.
It helps in the creation of web-services. They have a hello world guide on their
official website. Feel free to check it out. Or just simply google "express tutorial for beginner" there are a lot of great tutorials over the internet about it. It's quite popular.