I'm currently trying to keep the user logged in. E.g. if he goes from "/homepage" to "/foo" the user data should persist.
I thought about using JWT to create a token, that I store inside the req.headers, verify the token everytime the user changes pages and then call the api to get the user from the database.
Also thought about using cookies to store the JWT Token inside.
But I'm not sure if thats the correct way and if that way is that secure.
Any help would be much appreciated :D.
Thank you.
Related
I have an app that recommends gifts to the user, after they answer a couple of questions. In the case that the user likes or dislikes a gift, I need to send an update request to the db to update it's 'liked' field. Users are not required to sign in order to like/dislike questions. The app is built using Angular and used Express at the backend to do the CRUD operations.
My question was, is there any way this operation can be done in a secure way, so that the user can not open the dev tools and get the info which would enable them to send repeated requests or anything like that? Is there anything I can change in the Express code? Or would I need to change the security rules?
Express should have a way to identify duplicate request. User id or some kind of token should be with request. But I see that sign-in of user not required in this case.
You can generate a temporary token every time some gifts are shown to user. This token should be generated and saved temporarily on express and you can send it with gifts data. So now when your frontend send request for like/dislike, this token will be in request.
So now express will do following steps
Checking if temp token is valid (it can match it with saved tokens)
If valid then it will update the database (like/dislike)
After successfully update it will remove that temp token.
So now, even if user send duplicate request it will be rejected by express as temp token will be not valid.
I hope it will solve your problem.
I am doing a small login, but I am trying to do it in the best possible way, I was testing only with a token and saved it in the DB, then decrypted and compared with the token, if it was the same and it was not expired then it allowed access, otherwise he denied access. But they told me that the Token should not be stored in the BD and they recommended me to use a refreshToken in addition to the token (access token). As I have read, the advantage of using a refreshToken is not forcing the user to have to log in again once the access token expires, and in this case, the refreshToken if it should be saved in the BD as I understand, is this the only advantage? in addition I also read that the refreshToken should also expire, how would it be done in this case? you should have to add 3 columns to the table of each user (refreshToken, date of issue and expiration? another question I have is that I saw in a place that to know if the access token is valid they only decrypt it and if it is achieved decrypting means that it is valid, that is, there would be no need to compare if it is equal to the token generated by the backend? excuse so many questions, but no matter what I have read it has not been clear to me, or I do not know if the guides that I have found they are not entirely complete I am very grateful to anyone who can help me understand this better Thank you in advance Greetings!
I'm using Amazon Cognito as the authentication system for my nodejs application, and as a security requirement, I have to allow only one active session per user.
One way that I could think to do that is:
User try to log in, so call globalSignOut(params = {}, callback) and invalidate all other active sessions
After invalidate the other sessions, call initiateAuth(params = {}, callback), and return user's authentication tokens.
My question is, there is another way to do that? Maybe a more "official" one?
I'm using aws-sdk for JS
The Above mentioned solution is not working well.
what I am doing to handle single device login
On Successful login. Get the access token and other token.
call globalLogout with the above tokens.
Again call Login initiateAuth and get new tokens and return them to server.
I am able to get the token after 3rd step. but when I try to use it says "Access Token has been revoked".
P.S. I am making sure that above 3 steps happen synchronously but still facing the problem.
There is no "official" way to do this. The method you stated in your question is the best way to implement this.
I'm using a Node.JS express backend and an Angular 4 frontend in this app. I use JWT tokens to store an id which I use to find a user. Please note these JWT tokens do not expire.
Scenario:
User logs in.
JWT Token is generated and signed (containing the user ID)
JWT token is saved in localStorage
JWT token is used from then on to find the current user that's logged in
This was working perfectly. Now, something really weird happens. In production, occasionally, the JWT token seems to change value which then throws an error on my application as the user can no longer be found. I've run through all the code, nothing on the app itself should be changing the value at all.
I appear to have isolated this issue as only occurring mostly in Google Chrome however, (I think) I might have seen it occur in Safari at times. I have no idea why this would be happening. When I go to a protected page in Angular, it checks if a JWT token exists or not before proceeding. If it doesn't then it'll go to login. Nowhere is the value of that token changed.
Does anyone know what I may be doing wrong/why this is happening?
Are you using a middleware function in order to implement your JWT logic?
If not, I would recommend using a middleware function, that is written prior to your route logic/handler function. I guess, that helps debugging the problem and also a good practice.
I am trying to setup a user login system with Node.js (Express), Socket.io, and Redux/ReactJS. This is the approach I'm taking:
The user connects through Socket.io as soon as he/she gets to the web app.
Through socketio-auth the user is required to authenticate and passes their username and password to the server.
Then, using socket.io-express-session, like in this example, I set a cookie with the user's username and password, so that every time they come back to the website they can be re-authenticated through socketio-auth. (I realize I could probably save a unique token in the cookie instead, would this be better?)
On the server, upon authentication, I just save their details with their socketId to the Redux store for use with every Socket.io request while the session lasts.
Assuming this is all done over SSL, is this safe? What changes would you suggest? I'm trying to make it as simple as possible yet still very safe.
It seems like point 3, with Local Storage, is the best way to go for now.
See someone else interrogation: https://github.com/hueniverse/hawk/issues/138#issuecomment-196989520