I've been searching for 2 days and I'm still not sure what I'm supposed to do.
What I currently have is an authentication flow which uses php to search a database to validate the correct userID and password from an user.
However I want to alter this authentication to use "Amazon Cognito User Pools", even though there is a PHP SDK this specific feature (still in beta) doesn't seem to exist for it yet. The examples and sdks that this can currently handle are Mobile (iOS, Android) and Web (JavaScript).
So I have to authenticate as if I was doing a web app (with JavaScript).
To do so I thought I had to replace the authentication php file in where it checks the database to use this JavaScript authentication instead.
As far as i know PHP files don't just execute JavaScript in the middle of a script, but instead they render it to the html result webpage, then the client browser can execute them instead. This would weaken the security and also is not what I want.
So my second idea was to make the PHP call a RESTful request to the same server but a different file. Then the file would be a JavaScript function which authenticates and does everything required and returns the result, then the php file would have the result and I can continue with the normal flow.
Now this seems very strange and kind of wrong, because for my server to use JavaScript files that consume RESTful requests it seems I need to install and run node.js as well.
Is this really the correct approach?
Actually you can implement your own wrapper for this because that kind of thing base on get request or post request on server side. If you have some library that can make post request and get request on PHP for example with curl, u can have a look on their authentication flow and implement your own. Flow link below.
Authentication Flow
Related
I'm working on a project in which we need to authenticate the user in an application by using his/hers windows credentials. Frontend is using Angularjs and backend java.
After doing a sensible amount of research, I discovered that there is no way on the the frontend to obtain directly the Windows user & pass due to security concerns.
But I'm thinking that the whole process should start here, from the frontend, by obtaining these two encrypted credentials or at least a token and sending them to the backend in order to kickstart the ntlm authentication process.
And also, not sure if the user should have to log in the app by typing his windows credentials or if it should automatically be done with ntlm passthrough.
I do not have a good grip on the concept, and that is because most of the related sources that I found are referring to backend solutions (C# 80% of them), but almost nothing for fronted. So, I humbly require some clarifications on this topic. Is there some sort of middleware or npm package that I should use in order to obtain the user & pass, or what would you advise?
Web servers expose certain server variables to code handling requests they serve.
For me, using IIS, these are described here: https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524602%28v%3dvs.90%29
Since I am using IISNode; my node.js environment is completely embedded into IIS; I have access to these server variables. As the link described, each programming language seems to have their own way to access these variables.
So I would doubt it if Java does not have those as well. The exact code to use will depend on you back end.
But a quick search for "java server variables" already yields me the following:
https://docs.oracle.com/cd/E19534-01/820-3288/gawim/index.html for the java access manager.
http://users.polytech.unice.fr/~buffa/cours/internet/POLYS/servlets/Servlet-Tutorial-CGI-Variables.html for old school JSP.
How can I obtain server variables using apache wicket 1.54? for java wicket server.
So have a look at the documentation of your specific web server software or Java API.
There should be a list and example code of how to access these.
Once you obtain this data server side, you can do the LDAP query and then return the results client side.
I am newbie to angularjs. I developed an angularjs application using angular seed skeleton https://github.com/angular/angular-seed for client side. And for API server I used expressjs server.
My home page url is something like localhost:9000/app/index.html#/home
So, typically if I hit the url localhost:9000/app/index.html#/home I see my home page.
But, I have a requirement that there will be a POST request also to my application from some xyz application.
So, I want to determine, whether the incoming request to my angular seed application is coming from an external application or not.
Like in PHP there is a Super global array $_SERVER, with which you can determine the incoming request method... Is there anything in angularjs to determine the request method.
I hope my question is clear enough to understand.
Truly appreciate for reading my question, some hint would be great.
What you are asking implies you want to use an Angular frontend to provide POST method endpoints to your API. This does not make sense.
The equivalent of PHP's $_SERVER array to get passed variables is found inside Express's API, using the req parameter of a specific route setup. See http://expressjs.com/4x/api.html#router.route. This is where you create logic based on request method. app.get() and app.post() and app.put() and so on, as Ben's comment mentioned.
In the traditional PHP example you mention, the entire request goes to the server and a page result is returned to the browser, so you have the chance to detect that a POST or GET was made and direct the request appropriately.
Angular is a javascript based framework that runs in a browser. The browser will use GET requests to initially download all the html/js/css, but then it runs in a javascript context and no server is involved after this point unless explicitly coded in an Angular module/controller. This is where you would make GET/POST/PUT/DELETE requests to your API backend.
Your API is accessed with XHR (XmlHttpRequest) calls in a javascript context, based on user interaction with the UI. These calls can be made using GET or POST et al depending on how your API functions, using angular $http or $resource and the like.
I've worked a bit with Twitter web API, I know it works with OAuth, I've consumed the API using a python library. I've also tried a bit of Instagram API using a Java Script small library.
I know those perform web REST requests in the background, authenticating first and then querying requests as I code.
However, what if I want to perform the requets using jQuery $.ajax from a web application?
I've read some docs and sites and it seems it's just possible. Like only ajaxing to the API routes, starting with the authentication route.
But, how does this process work? I mean, I query by AJAX to the auth route and then how do I keep track of that authentication. How to keep that communication? Will the redirect URL play its role then?
Reading this site for Instagram API I start getting a clue about it, but got the doubts mentioned above.
I want to perform all AJAX requests in the Java Script server background (I'm using node.js), assuming I will provide my apps OAuth in the $.ajax. Is that OK or I can actually code it on client site keeping my OAuth tokens save?
And, if it's concern of this same question, when it comes to bytes (pictures, sound, etc) how to catch the response from API.
Okay, if I understand what you are trying to do is to make an Ajax call from a web page to the Twitter API and post/retrieve tweets and other info from Twitter.
Since the release of the API v1.1, Twitter has deprecated the v1.0 API and one of the major changes in 1.1 was Authentication Required on all Endpoints
And to do this from JavaScript and jQuery is quite possible (albeit very cumbersome, difficult and requires the use of many 3rd party JS libraries to HMAC Hash your data and keys and calculate content lengths on the client side before making your Request. Twitter API does not support CORS but does support JSONP for these kind of Ajax requests. But this is not recommended - since doing this on the client side will require you to have your Twitter App Access Keys - Private keys - embedded in your script files - which is basically a big NO-NO. And hence a server side solutions to generate your oAuth tokens is recommended. But once you have achieved that, it may be easier to get the token on your script and make Ajax calls using that from the browser. But I haven't gone that far in my research.
Also, this is based off of my research in Mid 2013 when my Twitter Ajax widgets stopped working because of this change and I gave up trying to fix it using that route after I realized it would compromise my security keys. Things may have changed since then.
If you are still interested to find a solution, this walkthrough would be a good place to start learning about Twitter's oAuth and how the Access Tokens are generated: https://dev.twitter.com/docs/auth/oauth
I'm currently planning to develop a HTML5 app. The basic concept is the following:
A user should be able to create a profile with username and password. The Server should be implemented in Ruby on Rails providing a JSONP Api (for Cross-Domain issues).
So the App will send Ajax requests to the Server and get responses from it.
My idea was now to transmit a session_key (generated by server) on the first response back to the client. Then the client has to authenticate himself with this token.
But now i have some issues.
How can i secure the first call of the client (when he is transmitting user and password)?
How can i protect the Session-key from beeing spyed out?
I am a complety noob in security aspects. Therefore it would be great if i could get some hints where to look at.
Secure your connection with SSL. This should require no changes in your code apart from putting 's' after 'http' ;-).
I used add a checksum to the ajax parameters (calculated using the submitted data), and then to crypt the hole ajax request into one string.
Somthing like sRequest=459fdjnfdw4r908vn....
sRequests holds my data (sUser=user&sPass=pass&iCheck=34564).
Edit: My client code was not public, compiled to an app.
I was reading #Nivco answer to Authorization of Google Drive using JavaScript and saw:
"...all you have to do it is use server-side code to process the authorization code returned after the Drive server-side flow (you need to exchange it for an access token and a refresh token). That way, only on the first flow will the user be prompted for authorization. After the first time you exchange the authorization code, the auth page will be bypassed automatically.
Server side samples to do this is available in our documentation."
Having read the documentation I am still pretty confused about how to process the authorization code and ultimately pass the access and refresh tokens to my Chrome extension so that it can proceed without the server for future requests. Can someone provide an example of the server-side code to do this?
As background I have a Chrome Extension with several thousand users that is built on the Google DocList API but I am trying to transition to the Drive API since the other one is being deprecated. Ideally my code would be entirely stand alone as an extension but I'm willing to accept the single authorization request through my server that Nivco's answer requires.
Thanks!
We've just ported our JavaScript application from using server to client flow. We've removed the server part entirely, it's not needed any longer.
You can see the source code that we used online, it's available uncompressed.