I'm having a big Problem. Whenever I'm connecting to Cloudant via PouchDB a nasty modal pops up that asks for authentication. I'm using PouchDB's authentication Plugin and the responsible command for this NOT TO HAPPEN. But somehow it still does. The modal keeps popping up, no matter what I do. It shuts down my whole production and I've been trying to solve this for days now.
I have an example on GitHub.
Help is very appreciated! Thanks! :)
You need to rename "Basic" in the WWW-Authenticate header your server sends to something the browser is not hard-coded to recognize and react to. I know nothing about cloudant, but it looks like their docs route back to couchdb for manual configuration so hopefully they have identical configuration for this.
For couchDB, changing the Basic to Basicfoo suppresses the browser authentication windows when pouchdb hits the URL with Authentication.
(You can also look for other solutions particular to your DB and any proxies you might be using now that you know you want to change Basic in the WWW-Authenticate header, for example this one has a solution for nginx.)
Related
Good afternoon,
I have a problem that I would like to get your help with if it were possible.
First of all I would like to mention that I am using Angular with TypeScript.
I am trying to make a kind of single sign on of several websites in a single application and I am having some problems when it comes to redirecting to the desired website.
All websites that I am trying to sign in cannot be changed and I can only make changes to the application I am developing.
On the client side, I make a request to the API (NodeJS) that performs the authentication on the intended website and returns an authentication cookie to the client.
So far so good, it's working perfectly. The problem arises when I need to open a new browser tab and pass the authentication cookie I received.
When opening a new tab I am forwarding to the page after login and I need the cookie for that task.
I tried to set the cookie in the browser to a different domain but without success.
Can someone help me, whether it is trying to find a solution or indicating a possible different way to solve the problem?
I would like to mention that the domain of all websites are different from each other and different from the application I am developing.
Thank you in advance to anyone who can help or direct me to the solution and I apologize if I did not understand perfectly what I want. Any doubts tell me that I try to explain better.
Regards,
André Pinto
From frontend you cannot set a cookie of another domain, but what you can do is to have a php page, which sets cookie of another domain or have a backend redirect. you can use this article for detailed information :-
https://subinsb.com/set-same-cookie-on-different-domains/
On reference link more :- Setting cookie for different domain from javascript
As mentioned above you won't be able to achieve this with cookies; being able to set cookies for other domains would be a massive security issue.
If you control the other website and have access to the backend, then your backend can handshake to identify the user. Otherwise you could look at using a querystring redirection to authenticate the user.
All the best.
Since posting on the Disqus disqus forum seems to be a waste of time, maybe someone here can help.
I'm trying to use the OAuth2 flow to connect a Disqus user to my app's account system so I can monitor their activity (posts/comments/etc). I'm using Meteor for my app. I'm calling the OAuth2 authorize endpoint from my server code and passing the resulting HTML back to the client for rendering. This all works fine. But I'm seeing 2 problems on the client side. First, the HTML code returned from Disqus seems to be designed in a full page and the username/password fields extend across the entire window. I was expecting a dialog/modal popup like the one that Disqus provides when logging into a forum. I tried wrapping the HTML inside of a Boostrap3 modal window which mostly works except the username and password fields extend off the right side of the dialog box.
Ignoring the ugly UI the second problem is that when the user clicks on the submit link Disqus puts up and error page titled 'CSRF verification failed (403) - DISQUS'. I'm guessing this may be because the OAuth2 call was made from the server and the submit is coming from the client. If I copy the OAUTH2 url directly into the browser everything works fine. But I don't want to expose my API key and resulting code on the client side since that seems like a security risk.
All I really want to do is verify that the user is trying to connect their own account to my app (and not some other user). I'm not posting with their account so I don't need an access token (I'm calling user/details which just takes the API-key). So I've thought about creating a forum for my app and using the login endpoint to verify the username/password combo. But that dialog doesn't explain the scopes I'm asking for.
I've also considered building my own dialog box to prompt for the username/password, sending those back to the server and have the server "fake" the submit back to Disqus. But that is not a maintainable solution since Disqus might change the expected fields at any time. And it is ugly as sin.
Anyone have any suggestions? I didn't post any code since I don't believe it is a coding problem (and the code is a bit convoluted). But if anyone thinks it will help you help me, I'll be happy to post it. And, yes, I'm aware that not posting the code violates StackOverflow conventions. But I'm taking a chance that the powers that be will allow this post since Disqus support is non-existant and I don't know where else to reach out.
The basic problem was that I was using 'request' with forwarding enabled so that instead of getting the Disqus URL I was getting the Disqus authentication text. You need to render the authentication URL in a window, not the contents. That fixes the CSRF problem.
The next problem is that the URL returned by getAuthorizationUrl is bad. It is of the form 'nullhttps:...'. No idea where the 'null' is coming from, but stripping it off fixes that problem.
To make things easier for anyone looking to do this, there is a shiny new version of the Disqus NPM that includes OAuth authentication methods at https://www.npmjs.com/package/disqus.
I'm writing a app in ionic. The app relies on external api's.
I've made multiple functions to test the connection, to my own server, and my own server handles the api calls. My own server is needed for this because of ip-whitelistening.
All works well, but now i want to disable the application if the result from my own server is false. I make a call to test the connection everytime the app starts.
What is the best way to handle this with angular/ionic?
1 thought i had myself is to redirect to a landingpage, if no connection is available.
Any tips are welcome.
Yes, basically what you planned to do is OK.
So, just after your app loads up, check if the connection is available (you can read more about how to do that in my detailed post How to check network information change with Ionic framework), and if not then you can change the state to some page where it would clearly let the user know that "Currently the link to the server is not working" (or some better notification).
Also, probably you would want to put a refresh button on that page, so that one could click it and the whole availability process would be checked again (basically same as if someone restarted your app).
Hope this helps.
I need to get some spam messages from a set of gmail inboxes and post them to a server.
My initial idea was to write a chrome extension, which when installed would be activated every time the user visited its inbox, but I couldn't do it that way, since there is no access to spam messages (just unread ones through a XML file).
Then I discovered google APP script and succesfully wrote the script I needed.. but the problem is, how can I use that script for other accounts? At the moment a user needs a lot of configuration to make it work (script has to be shared, user has to install google app script, set a trigger for the function).
IS there a user friendly way to make this work? Even in other ways? I have no access to inbox passwords though.
Thanks in advace.
You should design a User Interface, deploy your app as a webApp with parameter 'run as user executing the app' and add the trigger creation in the script itself.
All this should not be too hard...
Feel free to ask for assistance if you meet some issue.
In this case don't forget to post your code if you want useful tips.
I'm developing a new web site that will be a single paged app with some dialog/modal windows. I want to use backbone for frontend. This will call backend using ajax/websockets
and render the resulting json using templates.
As a backend I'll use nodejs express app, that will return the json needed for client, it'll be some kind of api. This will not use server side views.
Client will use facebook, twitter, etc. for authentication and maybe custom registration form.
Client static resources, such as css, js, and html files will be handled by nginx (CDN later).
Questions that I have now:
How can I determine that a given user has the right to do some action in api(i.e. delete a building, create new building)? This is authorization question, I thought of giving user a role when they login and based on it determine their rights. Will this work?
Similar to the above question, will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
Is this architecture acceptable or I'm over engineering and complicating it?
Passport is an option for the authentication piece of the puzzle. I'm the developer, so feel free to ask me any questions if you use it.
I thought of giving user a role when they login and based on it determine their rights. Will this work?
Yes this will work. You can check for a certain role on the user after it's been fetched from the server. You can then display different UI elements depending on this role.
Will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
It wont be enough. Anyone could hop into the console and set something like user.admin = true. In your API you'll need to validate a user token from the request, making sure that the related user has the appropriate permissions.
Is this architecture acceptable or I'm over engineering and complicating it?
At the least you should have an API validation layer. That would make a decent enough start, and wouldn't be over-engineering.
For the authentication part of your question i would use everyauth which is an authentication middleware for connect/express. It supports almost every oauth-social-network-thingie.
For role management you could give node-roles a try. I didn't use it myself but it should help you out, because it checks the role on the server side. Of course that is only useful if your API is implemented in node.js. If that's not the case, you have to "proxy" the API calls over your node.js app.
I hope I could help you! :)