I am new to AngularJS and gone through their tutorial and got a feel for it
I have a backend for my project ready where each of the REST endpoints needs to be authenticated.it will give 401 response when the user is not authenticated for every request.
And due to this a default login pop of browser is opening.And i want to open login.html instead of that default browser pop-up.
Is there any way to do this. I saw here and here but did not understand how to use them.
so be kind to explain it.
thanks
Can you elaborate a little more about your problem. As which kind of browser popup came. Does this come from server side? or you implement the popup at frontend other than login.html?
I don't understand whether you've already implemented the login solution. If you've not, you should take a look at this amazing James Ward article: Securing Single Page Apps and REST Services . That authentication pattern is implemented at $http.
Related
Good afternoon,
I have a problem that I would like to get your help with if it were possible.
First of all I would like to mention that I am using Angular with TypeScript.
I am trying to make a kind of single sign on of several websites in a single application and I am having some problems when it comes to redirecting to the desired website.
All websites that I am trying to sign in cannot be changed and I can only make changes to the application I am developing.
On the client side, I make a request to the API (NodeJS) that performs the authentication on the intended website and returns an authentication cookie to the client.
So far so good, it's working perfectly. The problem arises when I need to open a new browser tab and pass the authentication cookie I received.
When opening a new tab I am forwarding to the page after login and I need the cookie for that task.
I tried to set the cookie in the browser to a different domain but without success.
Can someone help me, whether it is trying to find a solution or indicating a possible different way to solve the problem?
I would like to mention that the domain of all websites are different from each other and different from the application I am developing.
Thank you in advance to anyone who can help or direct me to the solution and I apologize if I did not understand perfectly what I want. Any doubts tell me that I try to explain better.
Regards,
André Pinto
From frontend you cannot set a cookie of another domain, but what you can do is to have a php page, which sets cookie of another domain or have a backend redirect. you can use this article for detailed information :-
https://subinsb.com/set-same-cookie-on-different-domains/
On reference link more :- Setting cookie for different domain from javascript
As mentioned above you won't be able to achieve this with cookies; being able to set cookies for other domains would be a massive security issue.
If you control the other website and have access to the backend, then your backend can handshake to identify the user. Otherwise you could look at using a querystring redirection to authenticate the user.
All the best.
Since posting on the Disqus disqus forum seems to be a waste of time, maybe someone here can help.
I'm trying to use the OAuth2 flow to connect a Disqus user to my app's account system so I can monitor their activity (posts/comments/etc). I'm using Meteor for my app. I'm calling the OAuth2 authorize endpoint from my server code and passing the resulting HTML back to the client for rendering. This all works fine. But I'm seeing 2 problems on the client side. First, the HTML code returned from Disqus seems to be designed in a full page and the username/password fields extend across the entire window. I was expecting a dialog/modal popup like the one that Disqus provides when logging into a forum. I tried wrapping the HTML inside of a Boostrap3 modal window which mostly works except the username and password fields extend off the right side of the dialog box.
Ignoring the ugly UI the second problem is that when the user clicks on the submit link Disqus puts up and error page titled 'CSRF verification failed (403) - DISQUS'. I'm guessing this may be because the OAuth2 call was made from the server and the submit is coming from the client. If I copy the OAUTH2 url directly into the browser everything works fine. But I don't want to expose my API key and resulting code on the client side since that seems like a security risk.
All I really want to do is verify that the user is trying to connect their own account to my app (and not some other user). I'm not posting with their account so I don't need an access token (I'm calling user/details which just takes the API-key). So I've thought about creating a forum for my app and using the login endpoint to verify the username/password combo. But that dialog doesn't explain the scopes I'm asking for.
I've also considered building my own dialog box to prompt for the username/password, sending those back to the server and have the server "fake" the submit back to Disqus. But that is not a maintainable solution since Disqus might change the expected fields at any time. And it is ugly as sin.
Anyone have any suggestions? I didn't post any code since I don't believe it is a coding problem (and the code is a bit convoluted). But if anyone thinks it will help you help me, I'll be happy to post it. And, yes, I'm aware that not posting the code violates StackOverflow conventions. But I'm taking a chance that the powers that be will allow this post since Disqus support is non-existant and I don't know where else to reach out.
The basic problem was that I was using 'request' with forwarding enabled so that instead of getting the Disqus URL I was getting the Disqus authentication text. You need to render the authentication URL in a window, not the contents. That fixes the CSRF problem.
The next problem is that the URL returned by getAuthorizationUrl is bad. It is of the form 'nullhttps:...'. No idea where the 'null' is coming from, but stripping it off fixes that problem.
To make things easier for anyone looking to do this, there is a shiny new version of the Disqus NPM that includes OAuth authentication methods at https://www.npmjs.com/package/disqus.
I'm struggling to log in a user correctly via the WP REST API (http://wp-api.org/) using angular. I have it working so far by using basic auth when requesting the wordpress users via /users - but this doesn't seem like best practice, and it doesn't provide cookies in the response.
Has anyone got any ideas?
Cheers
From looking at the documentation for WP REST API, I'm not seeing that it provides any kind of cookie login feature.
There is, however, a plugin for this:
https://wordpress.org/plugins/json-api-auth/
Passing back a cookie via a secured JSON call is totally normal. Usually it's just passed with the Set-Cookie header, and your browser automatically knows what to do with it.
If you want to get really fancy and drop cookies all together, check out JWT = ) New stateless way for doing auth. You'll need to do somewhat fancy WP coding, though.
I know this has been asked a bunch of times, but I have only seen serverside solutions.
I'm running an iframe app that is embedded into a page as a tab. I want be test to see if the page is liked or not without prompting the user for anything.
Is there a way to do this with just JavaScript? The platoform we are building on is ASPX and I dont really have the option of going serverside.
Its not available because you need to inspect the http post parameter called signed_request and this isn't available on the client side. If the user has authenticated with your app and given you permissions to read their likes/interests, then you could then check with javascript api but I'm guessing you wouldn't want to make them approve your app just for this.
the question purpose is not for hacking purpose, iam doing an application that renders facebook itself, so once the user buy my application it means he permitted my application to access his data.
so i need to click on facebook allow application access data button programmatically.
is there a way to do so by javascript or any language?
thanks for help.
Facebook don't want you doing this. If you find a way to do it, you should expect Facebook will find a way to stop you. I suggest re-thinking your approach.