How to authenticate GSM with token in NodeJS - google-secret-manager

How to authenticate GSM with token in NodeJS? As far as I know there's option to auth using GOOGLE_APPLICATION_CREDENTIALS
import { SecretManagerServiceClient } from '#google-cloud/secret-manager';
const GClient = new SecretManagerServiceClient();
but is there option to authenticate otherwise? Like with some token we can retrieve from gcloud (gcloud auth print-identity-token [....])?
ok I got something, it use gcloud if GOOGLE_APPLICATION_CREDENTIALS isn't set. But I have problem that it use MAIN auth account, instead of impersonificated one (gcloud config set auth/impersonate_service_account [...]. How to set SecretManagerServiceClient to use impersonificated account?

ok, I found a solution for myself, but maybe someone will also go through this logic puzzle.
So the way to get around this problem is to give a user (or group of users) permission to Google secrets manager (for example, read-only). And this way your default gcloud user will work just fine. There may be some security issues, but with strict rules it can work just fine.
I wish I was able to use impersonation, but at least I solved my case.

Related

What is the best way to test secure routes on APIs that requires authentication while using Cognito OAuth with MFA?

I am using AWS Cognito with MFA and I can't use an actual user with a session to test the routes in with supertest testcases.
What is the best practice for testing authenticated routes without getting a valid token?
I tried to login with an actual user, but I can't do that because I have MFA required.
I ended up having an environment variable, to check if we are in a test environment and then create the routs without authentication.
I don't know if there are better ways.
As far as I know, there isn't.
The whole point of MFA is to be secure - if there was a backdoor, they'd be no point.
You could also create a user pool just for testing which doesn't require MFA in your application and alternate between your production user pool with MFA enabled & your testing user pool with MFA disabled.
The easiest way I've seen, however, as you've described, to disable MFA for end to end tests is disabling authentication as a whole based on a local secure configuration setting.
Maybe you could use something like oauth2-mock-server in your tests? Seems to do exactly what you are looking for.

Removing jwt token from local storage once shopify public app is uninstalled

I am new to Shopify platform and have a doubt which I want to clarify.
We are developing a public app on Shopify. Currently we are facing a issue after app uninstall.
Our app contains a login page and we are using jwt based authentication. We are storing jwt token in local storage.
Now the issue is :
When ever our app is uninstalled, we get a uninstall webhook based on which we perform few database operations.
Now once the app is uninstall, We want to remove jwt token from local storage because after uninstallation of the app, if we try to access our public app specific APIs, they are accessed because JWT token in my local storage exists.
I Somehow want to restrict all kinds of these unethical activities and want to overcome all security flaws.
As I am new to shopify, Can anyone tell me what better solution for this problem could be ?
You cannot. How will you possibly control what the user is doing? Make the JWT dependent on some other identifier that changes on every install.
And it's not related to Shopify alone. It's basic principle of JWT.

Can I create a federated user in firebase manually using admin authentication api?

I've a web application built using firebase. In my web app, I've google, firebase, twitter signup/signin functionalities.
Now I want to integrate this with my api.ai agent and have a seamless account linking. Hence users will use their googel Home/ assistant app from mobile devices to connect to my agent. At this stage, I'll have the google account Id, google email, name of user.
If user already present, I can send the tokens required by my agent. But if the user is new, I want to create the account in my firebase database. I couldn't find a possibility to create a federated account in firebase manually (from nodejs application/ cloud function)!
I know there is a possibility to create a email + dummy password account but that is not what I am looking for. Because the user registered with dummy password when trying to login to my web app, would use their google signin feature.
If I create email and dummy password, the flow is not good and I've to force users to change password and link their google accounts again when they come to my web channel!
There is CLI approach, where I can import users from the file. If this is a possibility can someone please help me how I can get this done in a cloud function?
THIS IS NOT A COMPLETE ANSWER TO THE QUESTION
Based on the firebase tools import option I've created a trimed down gist, using which I am able to trigger the import from a cloud function. The only glitch I am facing is the place where I've to pass the Bearer access token for performing the action.
As of now, I've short-circuited the getAccessToken method inside the import/api.js. This is the place where I need help from Firebase team to get the access token straight for the firebase admin or bypass the check when the request is made from within a cloud function!
getAccessToken: function() {
return Promise.resolve({access_token: accessToken});
// return accessToken ? RSVP.resolve({access_token: accessToken}) : require('./auth').getAccessToken(refreshToken, commandScopes);
},
In the above function the commented code is actually getting a running accessToken obtained by the user while performing the firebase import from the CLI tools. As a command line utility, asking user for getting permission works, but when running inside a cloud function, it should be one of following options that I could think off!
a) as the cloud functions are executing within the admin previleges, ignore the permissions!
b) or provide means to get the access token straight from the admin SDK.
The gist is present in here in github. I took most of it as is from the firebase tools project and tweaked a bit to be able to make it work within the cloudFunctions. I tried to bring as minimal code from the firebase-tools as possible.
When I run this, the Errors I am getting at are at line 35 lib/import/api.js:
<<< HTTP RESPONSE BODY
{
"error":{
"errors":[
{
"domain":"global",
"reason":"authError",
"message":"Invalid Credentials",
"locationType":"header",
"location":"Authorization"
}
],
"code":401,
"message":"Invalid Credentials"
}
}

box api authentication from node.js

I'm trying to build a NodeJS subsystem that is automatically syncing content with Box. I have existing "passport-box" authentication that is requiring user logging in from browser, but this is not an option for me. I need pure server-side authentication.
So, I've came across JWT as a possible way to do this, but I don't have a clue how to start, as I'm new to tokens approach. Possibly, Auth0 can be in hand - but, again, I don't know how exactly to use it.
Can someone point out which libraries should I use and where to connect to in order to construct a proper "Authentication: Bearer ..." header.
Currently I'm using passport-box and box-sdk nodejs modules, but seems like I'll need to change something in my approach, to get tokens without user interaction.
Thanks!
This rule would create a Box access_token for you, provided you re-establish a relationship between your Box account and your Auth0 one:
https://github.com/auth0/rules/blob/master/rules/creates-box-access-token.md
In essence:
Box knows about Auth0 and trusts it to request access_tokens
After a user logs in using any supported way in Auth0, it will run the above rule, that will issue a Box token
The Box access_token is included in the user profile.
Your app uses the token to access call Box API.

Stormpath Integration, ExpressJS 'Stormpath 401Authentication with Vaild API Key is required'

Getting a peculiar error trying get stormpath working in my expressJS app. I've set up a stormpath application and got my generated API key. The console.log's show my environment id and the secret key in my terminal so they are getting run in my app. The apiKeyFile: path is working fine to get my key. I just can't seem to figure out why I'm getting a ResourceError: HTTP 401, Stormpath 401 (http://www.stormpath.com/docs/quickstart/connect): Authentication with a valid API Key is required.
I'm fairly new to stormpath and express so any advice at all would be greatly appreciated. Thanks!
// in front of all other middleware in app.js
console.log(process.env['STORMPATH_API_KEY_SECRET'])
console.log(process.env['STORMPATH_API_KEY_ID'])
app.use(stormpath.init(app, {
apiKeyFile: 'working path to my API key fie',
application: 'https://api.stormpath.com/v1/applications/' + process.env['STORMPATH_API_KEY_ID'],
secretKey: process.env['STORMPATH_API_KEY_SECRET']
}));
I'm the author of the library. You have two problems here:
You only need to set your API keys in one way (by environment variables, by api key file, or by manual insertion into the code). You're doing it in two ways right now (apiKeyFile and environment variables).
Your API keys are invalid.
What's happening is that the library is pulling in your api keys from the environment variables first, and those keys are currently invalid.
To test this further, try doing this:
app.use(stormpath.init(app, {
apiKeyFile: '/path/to/apiKey.properties'
}));
And remove any environment variables you've previously set.
If you're still getting the errors, then you still have the wrong API keys (maybe you removed the ones you're using) -- so go visit the Stormpath dashboard and create a new api key pair.
I recently had a similar experience using the Stormpath Express SDK. It turned out that my problem was using a seemingly valid API key that was not associated with an Account object that had access to the Stormpath application in question.
So basically, the API key id/secret I was using didn't belong to an account that lived in the Stormpath Administrators Directory.
Once I swapped out my API key id/secret for a pair attached to an Account that had access to the Stormpath application, it all started working.
I ran into the same/similar scenario. My issue was that my account had not been verified (email verification), so even though I was using the correct variables (STORMPATH_APPLICATION_HREF, STORMPATH_CLIENT_APIKEY_SECRET, STORMPATH_CLIENT_APIKEY_ID), it still didn't work.
So, make sure you have an Application created. The default is 'Stormpath', but you can (and probably should) create a new Application that depicts your app. Once you have your Application created you will need to create an Account that is associated with the previously create Application. When you create your account, make sure you use a valid email, and verify the email that was sent by stormpath (i.e. you should be able to log into stormpath with the newly created account). Once you have the Account created and associated with the Application, you need to generate your Account API key pair, which will give you the Secret and the ID. Then, the only other Environment variable you will need is the application endpoint value, which is the HREF value in the Application Details view.
I hope this helps! Happy coding.

Resources