I have built an e-commerce website using express.js. The authentication method used is passport.js. We store the cookie with all the information we need in redis.
Everything was fine until we started driving more traffic.
Now the problem
When user A comes to the site, logs in and makes a purchase, every day or two 2-3 customer details are wrong.
User A comes to the site and make a purchase. The email and address of the user A sometimes becomes the email and address of user B
We cannot easily replicate this as this happens only once in 50 purchases.or sometimes twice in 50 purchases.
So I had to call all my contacts and check what is the wrong thing we have done. And curiously one guy replied me that he also have the same issue. He is saying it the problem with passport.js, and he wrote custom authentication method to remove passport and till now he has not faced any issue. He also uses exactly my set up. NODE-EXPRESS-REDIS
I am quoting his words here
Whenever a user logs in from one computer, open the site in another computer then refresh the page, You can see the logged in details of the first user in second computer, and this issue is not frequent but it comes once in a while
Related
How do I set up passport.js so that if I have two different users login in, it would be two distinct accounts? Right now I am running into a weird bug in which one user logs in. If a second user logs in, and the first user refreshes the page, the first user becomes the second user.
I have tried google strategy and i expect how to solve this problem
I am trying to understand what Apple is imposing as its new policy to ask developers to use Apple's own authentication mechanism.
Apparently Apple is using a different method compared to other authorization providers, such as Facebook and Google.
Apple's approach is, you receive the name and email at first login (say sign in). And after that you only receive a user id (something like 001134.432857YEASUREe274bxy231b3.0884 which means nothing unless you save it along with email and user name at the sign up).
Up to now everything seems fine.
The part that makes me confused starts here.
According to GDPR, as far as I know, you have to provide users a right to delete all their data from your servers.
And in this case, once we delete a user's all data then the correlation between "email+fullname vs user id" is lost for ever.
If the same user decides to reactivate herself, this time Apple will not send you email+fullname and this will impact the user experience.
Is my understanding correct? What is the solution for this problem?
References:
https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user
https://docs.expo.io/versions/latest/sdk/apple-authentication/
I am starting a little learning project that would involve the following scenario:
User enters the page, there is a counter on the page which is connected to real-time database on firebase he/she presses the button, counter goes up, database is updated, but this user is not allowed to increase the counter anymore. Even when the app is closed and he/she opens it in couple of days.
The question is: is it possible to achieve something like this without explicitly login user in? So that on subsequent sessions the prohibition persists based on IP address or something. Maybe it could be achieved with local storage?
Thanks for any responses and ideas!
What you're describing requires that you can identify the app instance: the specific installation of your app on a certain device. For Firebase the easiest way to do this is using Firebase's anonymous authentication. This creates a unique identifier for the app instance, without requiring the user to enter any credentials.
I just implemented Google JavaScript sign-in button to our homepage, and everything works the way it suppose to, but thats sometimes bad..
So the thing is that our users use our application on the same computer, 3-4 different users per day. Having a google sign in gives us access to implement some Google product features in our own site.
I understand that sign-in with google signs you into the Google account, and also gives permission to application.
Also i understand that this is the way it works to make the life easier for user, not to sign in each time on every site.
I can easily remove the application permission via GoogleAuth.signOut() or GoogleUser.disconnect(), even with GoogleAuth.disconnect(), so the .isSignedIn() will become false, so the user will always have the prompt screen, also i use prompt: 'select_account' on .signIn() to make sure even single user will get the prompt screen.
The problem is when the 2nd user enters to our login screen and chooses "Sign in with Google", he can actually choose any previous user in the prompt screen and enter into our application as not himself, but actually can choose the previous user and authenticate himself as the other without entering any password.
Password will be only asked if previous user also logs out from his Goole account.
I know a hack is to redirect user to URL:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=YOUR_REDIRECT_URL
But thats seems like a very poor solution, because our users use our application also with their personal devices, so its kind of bad if they get logged out from all applications they have signed into.
I know asking password on each sign in is not the way auth2 intended to work, but i'm sure there is a way forcing user to enter password on each time they press "sing in with google" button.
Ive spend multiple hours on searching for a solution and tried multiple things, i hope someone of you can point out the needle in the haystack that i missed
All I want to do (for now) is have the end user authorize, via Oauth, permission to view email address, and have the script put that email address into my spreadsheet.
In testing, this works great. Buttons are clicked, tokens are exchanged, magic is made, all as expected when using my account, but when I publish and test with another account I get:
The state token is invalid or has expired. Please try again.
When I change...
"Execute the app as: Me"
to...
"Execute the app as: User accessing the web app"
...the second test account works, but I get no results on my end (obviously).
This makes me think that I've hit some limitation with the data exchanging across accounts, but this just doesn't seem right. This seems like a pretty normal thing to attempt. Maybe I'm wrong.
I'm happy to edit this question and share any code needed, but I'm pretty much using code straight off of googlesamples/apps-script-oauth2
I guess I'm mostly asking if I can do what I'm trying to.
Here's the web-app.
Please help