I'm running a Rails app on Heroku, and I'm trying to port over all inline Twitter requests (namely oauth authentication) to a Node.js app, because when Twitter is slow, since the Ruby server is blocking, the Twitter requests clog up my app. (My average request takes about 50ms, but my average Twitter Oauth request takes about 1500ms!)
The node.js app and the rails app can access the same database.
What I can't figure out, though, is how to initiate a session with node.js, and then use that session in the rails app. Right now I'm using the default Rails cookie session store.
I'd want it to work something like...
1) user arrives at landing page http://railsapp.com
2) user initiates log-in with http://nodeapp.com/login or http://nodeapplogin.railsapp.com
3) user does the twitter oauth dance with node.js
4) upon successful log in, user is redirected to http://railsapp.com/dashboard WITH an active rails session that can be used throughout the rails app
Any ideas/suggestions?
You're going to want cookie based session key storage, set a global cookie domain to your toplevel 'railsapp.com', share your session store in a way both Node.js and Rails can access it.
I don't know the internals of Node.js session management, but I imagine it should be able to load a db-backed rails session store.
Related
I have a spring-boot application, with front of single page application using java script and react.
When the app is upload I have a login page.
In uploading i redirect the app to the login page by using spring security.
Now I am trying to redirect my app to the login page if my session timeout or if I restarted my spring-boot-application.
Do you have any insights to a simple way to implement this?
We use spring boot with a React SPA. You can implement an API which checks if the current user is logged in based on a session cookie. If the API returns you are not logged in then change the SPA to the login page. Use setInterval/setTimeout to call this API in the background at regular intervals.
I am using react for frontend, nodejs as backend and passport-google-oauth2 for authenticating users with googles oauth api.
When a user logs in, I create a new user or I find an existing user, set a cookie to know that the user is logged in.
The problem is in development I am using webpack development server and a node server. Therefore the cookies arent saved properly. I have tried using proxies in the development server but I haven't got it to work.
What is best practice here? Am I not supposed to use cookies?
Thanks in advance.
As ionic uses angularjs, for login system there isn't any browser to save cookie or session in order to authenticate for each part of application.
One way is protecting by using this in app.js:
$urlRouterProvider.otherwise('/login');
Because any one doesn't access to other links into application. When returned answer from server (mysql database) is true , we can use this:
$state.go('app.main');
Is this a good idea? Or any other ways?
Since ionic essentially calls to a back end api, you can implement any standard api authentication mechanism.
The most common was would be have a toke based authentication, High level workflow can be as follows
1 - ionic app calls a backend server end point and get a token (by passing some kind of an encrypted key)
2 - Back end server generates a token (ideal for a given time period) and sends back to the ionic app.
3 - There after, in every request ionic sends the token. (ideally in the request header)
To save the token temporary , you can use a simple storage solutions like
ng-storage or sqlite
have a read here
For our company app we use a digest access authentication(https://en.wikipedia.org/wiki/Digest_access_authentication) with our ionic app and our node server that is hooked up to a sql database. Once the user is authenticated we send them a jwt (javascript web token). We can then store that webtoken locally (if they check the option for auto login) or they can re-authenticate whenever the app is reopened and we give them another web token. This has so far proven to be a safe and efficient method of user authentication. Here is a tutorial for using json web tokens and angular. http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs
I would strongly encourage you to checkout John Papa's ng-demoes, especially one with JWT token, because that is what you want to use nowadays. (Those are not specific to ionic, but rather for angular.js apps in general)
basically you have several things you need to do:
handle all the places where you need to check if user is authenticated or not and emit unauthorized event
handle event and redirect to login state/route
In above example you basically add interceptor (https://github.com/johnpapa/ng-demos/blob/master/ng-jwt/src/client/app/services/authInterceptor.js) which looks if any request to the web services failed due to not authorized and rejects the promise returned by $http request
Also
As ionic uses angularjs, for login system there isn't any browser to save cookie or session in order to authenticate for each part of application.
You indeed can use localStorage/sessionStorage to store token and add that token to all requests. That is why you better off having token based auth for your web services, rather than cookie based. (basic auth can do to, just more cumbersome)
I am building a webapp with Nodejs and installing phpBB on an Apache server that will be on a the same domain (ie: node = myapp.com, forum = forum.myapp.com).
I want the node app to authenticate with phpbb. I am not the most familiar with sessions, can anyone point me in the right direction on how I would use the session that is returned from phpbb to verify authentication for the node app?
So the workflow would be like node/myapp.com -> login form on myapp.com -> authenticate phpbb/forum.myapp.com = both myapp.com and forum.myapp.com are logged into phpbb.
You can log a user in effectively by creating a session record for them in the phpbb_session table and then adding the appropriate cookies under the domain phpBB3 will go looking for them in.
Those two steps is all it takes to actually "log-in" a user to phpBB3. Note: this circumvents all password protection.
If you want to actually authenticate the user/password against the data in the phpBB3 database then you'll have to go look at the authentication module, if I recall correctly they use a uniquely-salted SHA2-based algorithm of their own.
I'm building a chrome extension that facilitates the creation of contacts straight from the browser without needing to go to my devise-powered rails app itself. Contacts#Create requires authentication so I'm wondering how I can do send authenticated requests from the extension.
I've enabled devise TokenAuthenticatable and so my users have an authtoken. I've written a method in my extensions js that posts to my rails app's contacts#create action. For testing, I've simply hard coded my own auth token in, which seems to work. But how can the extension access the auth tokens for users? It doesn't seem right/secure to store this token into a cookie.
I think I'm supposed to use chrome.cookies to access and do something with my app's session info somehow. But I only get a sessionID here.
any help appreciated!
Although not from a chrome extension, I was building something similar that would work from terminal. I ended up bypassing devise and creating by own token authentication that would allow users to access just the one controller#action I needed. That way you can minimize the damage if the token gets stolen.
So anyway, I would allow users to generate (and regenerate) tokens within the rails app interface and make it so that the extension asks for the token on the very first launch. I'd store the token itself in localStorage.
You can also check authentifiation_tokenstored in your app cookie.
You can achieve this using the chrome.cookies.getAll() method detailed here - https://developer.chrome.com/extensions/cookies#method-getAll