I want to rewrite business application using asp.net web api as service layer and use javascript to call the web api and get data, display etc.
I understand all the scenrios work fine, but main bottleneck is security. We have database for the user name and password. We want that user enter user name and password, validate it using web api. Then for each request pass the user name and password to check rights etc. What is the best way to secure this communication if any.
You're best bet is going to be implementing HTTPS with SSL. You would consider using an encryption algorithm, but everything will be expose anyone if you're using JavaScript which would make encrypting and decrypting on the client quiet pointless.
Here's is a good blog post reference you can review on the matter http://goo.gl/QkZOf
Related
I am playing around with the idea of creating a website for cryptocurrencies, where a user can sign up on my website, enter his API details for one of the exchange markets that I will support, which allows him to trade on that exchange, but using my “more user friendly” web interface.
My main goal is to create a more user friendly interface than what most exchange websites offer. I am not hooking directly into any cryptocurrencies or wallets, all I do is use the API of existing exchange markets, relay the information to my website, where I have a more user friendly interface.
Since this is a very sensitive subject in regards to security, I am trying to figure out, what the best way would be to store the API details of the users.
In general I don’t like the idea of storing the API details on my database server, nor on my server in general. The thought of having my website hacked and all the API details being exposed is terrifying. Of course each exchange website that supports APIs has their own security built in, such as API sessions with 2FA, IP restrictions, weekly generations of new API secret keys, daily trading limits via API, and not allowing withdrawals of wallets via API. But damage can still be done if those API details get stolen.
I would prefer if there would be a way where I would not need to store the API details on my server at all, but rather have the user save them locally on his PC. That way he is in charge of keeping the API details secure.
This thought brought me then to the idea of creating a desktop app using electron (https://electron.atom.io/). That way I can still create the website the way I want, but it’s wrapped into electron, so it always run locally. Before I pursue this idea, I would like to keep investigating my previous idea of a regular website, as I prefer to have my website cloud based, SaaS, to prevent piracy.
So I wonder, storing API details of a user, without saving them on the server, what other options would I have?
Cookies? Probably not secure.
What about localStorage? https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
Are there other options or am I too paranoid about this? Is it generally accepted to store sensitive API details on a database server along with the rest of the users details?
I think saving data in to users computers is wrong way, because when you will save user's personal data in to your server, you will be able to control security of your server, when it will be saved on user compputer the security of your server will be depended from users. Today we know many methods how to deceve users and I think, that the programmers must take care of his users. when you will save data in server db you can switch many methods, like email verification or verification by phone you can send message with some verification code, switch ssl service, also you can avoid on sql injection using a modern framework like Laravel or Yii 2, in any case if you will save user data in you server the security of your application will be depended of you.
if you will save user data in local computer, today hackers uses many methods to steal users cookies or methods to get a controll on pc, for example you can read this post
https://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
today hackers using this method, creates an exe file which extension on first look is docx or other some extension for example pdf and so on ...
but in real it is an exe file and it is runnable, user can download it, and run... I think you understood what can do hacker with users computers by this way, today so many viruses which even very professional users cant recognize.
I would like to access a user's Outlook emails with my javascript app.
Google makes this very easy using Oauth and it's restful Gmail API.
I have tried researching similar options for Outlook, but I can't seem to find a good way to authenticate a user with Oauth 2.0, then access their message inbox.
Are there any Microsoft technology experts that can point me to some resources to get started here?
I am restricted to using only client-side code as this is for a phonegap mobile application. I would like to continue using oauth-io but I realize that may not be an option.
I was having a hard time tracking down the process for getting the emails as well. Anyway, first things first, you'd need to register your app for OAuth here. This page describes some more details on the registration and also how to access the needed API.
Although you can do the calls via Javascript, there are some security issues because you'd eventually need to send your client secret. It might be safer to do some parts in the server side.
First step is getting the user to login and retrieving the access token.
https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT_ID]&scope=wl.imap wl.offline_access&response_type=code&redirect_uri=[REDIRECT_URI]
On the server side, exchange the access code for an access token:
https://login.live.com/oauth20_token.srf?client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&code=[ACCES_CODE]&grant_type=authorization_code&redirect_uri=[REDIRECT_URI]
Get user's email and other account info (Python sample codes):
https://apis.live.net/v5.0/me?access_token=[AUTH_TOKEN]
Retrieve emails via IMAP using the email address from emails>preferences in previous reply (see more details here). It would look something like this in Python:
import imaplib
mail = imaplib.IMAP4_SSL('imap-mail.outlook.com')
username = [username]
access_token = [access_token]
auth_string = 'user=%s\1auth=Bearer %s\1\1' % (username, access_token)
mail.authenticate('XOAUTH2', lambda x: auth_string)
mail.list()
You can look at existing IMAP libraries to retrieve the actual emails from there. Here's one for python.
I'm building a payment plugin for a website, where users can buy some website intern currency with real money. the backend i use, which handles the payment process, is this.
It provides (beside others) a JavaScript library to communicate with their API, so you don't have to let your system touch sensitive payment data like credit card numbers etc.
The problem is:
For now the api-key, secret hash and other vulnerable data are hardcoded just into my script which initiates the communication with the server. so in theory every half-descent user could just copy them out of the browser and could do nasty sh*t with it, especially if they have access to the api documentation.
So, this isn't secure and it definitely cannot go live this way.
im working with cakephp and i thought of collecting those sensitive keys with some ajax calls to my controllers/models, after pressing on the submit button.
There's the problem, that this connection isn't secured and can easily be 'man-in-the-middled'.
Are there other, better ways to secure my API Keys in javascript?
Use token based auth, https and csrf tokens and never, ever, but a secret on the client.
Use oauth so users don't even need to send you a password. Use someone else's authentication system.
I'm developing a new web site that will be a single paged app with some dialog/modal windows. I want to use backbone for frontend. This will call backend using ajax/websockets
and render the resulting json using templates.
As a backend I'll use nodejs express app, that will return the json needed for client, it'll be some kind of api. This will not use server side views.
Client will use facebook, twitter, etc. for authentication and maybe custom registration form.
Client static resources, such as css, js, and html files will be handled by nginx (CDN later).
Questions that I have now:
How can I determine that a given user has the right to do some action in api(i.e. delete a building, create new building)? This is authorization question, I thought of giving user a role when they login and based on it determine their rights. Will this work?
Similar to the above question, will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
Is this architecture acceptable or I'm over engineering and complicating it?
Passport is an option for the authentication piece of the puzzle. I'm the developer, so feel free to ask me any questions if you use it.
I thought of giving user a role when they login and based on it determine their rights. Will this work?
Yes this will work. You can check for a certain role on the user after it's been fetched from the server. You can then display different UI elements depending on this role.
Will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
It wont be enough. Anyone could hop into the console and set something like user.admin = true. In your API you'll need to validate a user token from the request, making sure that the related user has the appropriate permissions.
Is this architecture acceptable or I'm over engineering and complicating it?
At the least you should have an API validation layer. That would make a decent enough start, and wouldn't be over-engineering.
For the authentication part of your question i would use everyauth which is an authentication middleware for connect/express. It supports almost every oauth-social-network-thingie.
For role management you could give node-roles a try. I didn't use it myself but it should help you out, because it checks the role on the server side. Of course that is only useful if your API is implemented in node.js. If that's not the case, you have to "proxy" the API calls over your node.js app.
I hope I could help you! :)
I work on a mobile web app in Javascript(Sencha)/HTML5 with WCF Rest services that needs to use authentication to authenticate users from a custom (MySQL) database in order to customize services responses during the user session.
I search about WCF authentication and founded so many ways that i'am really lost to find the best way to answer my constraints...
Can i really authenticate my user from the WCF web service (with his username and password) and then keep a token or a cookie or whatever that can be used in the following request in order to identify my user and make my response according to that user ?
Thanks in advance for your help !
Authentication as you many know can be done in many ways. Username/password, Certificate etc. It really depends upon your requirement.
For e.g.
If you have a mobile application which is dealing with financial information for a user (such as Bank account) then I would use both user credentials as well as X509Certificates.
If you have an application which is public facing then you can get away with using just certificates (Just client certi).
If you have a B2B application (which I would doubt in this case) then you can use Asymantic certificates (Client and server) in which you will create Both Client and Server certifcates (X509) and give to the client and let the client manually install it on their client devices.
For the simplest senario you can start by try using username and password. So your client app will user username/password to authenticate with a WCF Service at server.
Follwing my give you a good starting point
http://msdn.microsoft.com/en-us/library/ms733131.aspx
http://www.codeproject.com/KB/WCF/CustomUserNamePassAuth2.aspx