I am currently learning full stack dev, and have made a simple application with React on the front end, and set up a very simple REST api on my express web server that handles certain routes.
For example api/users returns a list of users from my database and returns responses as JSON data. api/blogs can return a list of blogs in JSON with a get request, or post a blog with a post request.
I have learned and been able to implement very basic user tokenization with JWT, and so only logged in users with a valid token can make a post of a blog for example. This is done by adding their token with bearer as a Authentication header in the request, which the server verifies. This makes sense to me, however I am very confused on how the backend works or if I am doing something critically wrong.
If I go to my main page for my application, and type api/blogs it opens up a page displaying JSON data. Anyone can basically view this from my application by going to api/endpoint
I am also assuming anyone from outside can use something like Postman to send a post request to my database assuming they have the token which they got since my token is saved in storage.
This is incredibly weird to me Is this just how these things work? Or am I failing to understand something crucial?
if I wanted to progress forward and learn more about this, where or what do I do?
You have described how users authenticate to your application (with a bearer token), but what steps does your application take before issuing such a token?
Does your application keep a database of users and their passwords?
If yes, can anyone sign up by inventing a user name and password?
Do you verify an email address before admitting a new user?
Or does your application rely on an external OpenID Connect service (for example, login with your Google or Facebook account)?
If yes, can anyone with a Google or Facebook account sign up for your application?
Or must an application admin (that is, you) put the user on an "allow-list"?
To summarize: Unless you take special precautions, anyone from outside can sign up to your application and subsequently use it.
Related
I have a nestJS app that allows a user to interact with my MongoDB, mostly CRUD operations. However, this is hosted on Heroku which means that anyone can send requests and perform operations on my database.
What I would like to achieve is to have only users who have a valid token be able to use the API. The users would have to send their requests with a token v1/search/errors?token=INSERTTOKENHERE
However, all the docs I've read are getting a user to login to a frontend like you would login to Facebook or YouTube. I have a frontend but the users of the API will be applications and not people so I don't want them to have to interact with a frontend. Ideally, I can just generate a token for the application and then only apps with a token can interact.
I have searched far and wide and have not found anything like this but every public API I have used behaves like this. Any links to docs that explain how I can achieve this would be appreciated.
Thanks
Tokens are a way to identify unique and authenticated users. Login attempt is mandatory for creating a token. You need a Guard implemented to verify each user on API request. Login from a front end Application is not mandatory. You can login from postman sending the right body elements.
I'm new to Python, but have previous experience writing .Net web apps.
I'm working on a website written in Python using Flask-WTF (html pages with forms and individual routes for GET and POST requests). The app makes calls against a Python Flask API that talks to a MySQL db for user authentication (user table with names and hashed passwords). Everything the user sees is handled by the web app UI, and all the logic is handled by the API.
I followed Miguel's Mega-Tutorial (https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world) to learn the basics of the Python language and how to solve a number of problems along the way.
I need my users to log in once a day (set tokens to expire every 12-24 hours or so), but then have access to the app to perform whatever actions they need. I have a Login form that grabs username/password and submits that to an API endpoint. The API verifies the user data against the db, generates JWTs (access and refresh tokens), and writes them to cookies in the response. I am able to see that the cookies are set in the web app after the initial login and verified the contents using https://jwt.io. The only thing I need from the user login after verification is the username for when a user makes a change to database entries.
The Problem: How do I actually use the info in the cookies to call subsequent #jwt_protected methods in the API? When I add the #jwt_required to a post(self) function and try to access it I'm getting back a 401 with { "msg": "Missing cookie "access_token_cookie"" } that appears to be coming from the jwt_flask_extended library. I used "access_token_cookie" as the name of the cookie for the JWT token. Are the tokens magically handled by FlaskWTF/flask_jwt_extended and I'm just using it wrong? Do I need take the info out of the cookie and add it as a header on subsequent requests? If I send the info in a header, how does the API know where to look? I have a feeling it's something minor where I'm just not connecting the obvious dots.
I'll create a standalone app to test out just the authentication features between UIs and APIs that can be shared as opposed to trying to rip out existing code minimize the existing app and api to the bare minimums in case anybody else comes across a similar problem. This might also show me what my problem really is.
The final version of the app and api will both be hosted in a Cloudfoundry environment in case that has any bearing on suggestions.
A user can create an account in my App only with his work email.
Example: john#xyzcompany.com
After he creates an account, he can link multiple social media accounts to his profile.
Example: john#gmail.com, john2#gmail.com
I'm using MEAN stack to develop the App.
When a user logs in to my app, I'm creating a JWT token to authorize all his future requests to the server.
When it comes to Social Media accounts Integrations, After successful authentication I'm able to receive the accessTokens from these Social Media to the backend callback URL. I need to link the tokens to the right user. Is there anyway I can pass my JWT token along with the callback URL to identify which user has made the request, because I cannot identify the user based on the email in his Social Media Account?
I was able to solve this using socket.io. But I feel it is unnecessary to use sockets for simple authentication.
Is there any other approach to solve it? I have researched online, few of them suggested using passport. I don't fully understand how passport works, I just feel it is just a middleware to authenticate API requests from users, which I'm doing anyway using a custom function.
Could someone explain whether it is possible to pass JWT in callback URLs using passport strategies?
What is the right approach to handle such authentications in a MEAN stack app? I'm stuck with this issue since the past week, really looking forward for a good solution.
I have encountered this type of situation in one of the large scale applications I have been working for and the approach we used to handle it was to store the jwtToken in redis and then retrieve it back with the help of user cookies. Let me explain it in more detail -
Send a new Cookie for the user when the user opens the login page. The cookie should contain some unique id or code against which we will save the JWT token,. Eg: res.cookie('jwtIdentifier', newid())
Now, when the user logs in, generate the JWT token and save it to your redis against the cookie jwtIdentifier's value. Eg: redisHelper.set(req.cookies.jwtIdentifier, JWTTOKEN)
At last, when the login is successful and the user is redirected back to your app, you can retrieve your JWT token again for the corresponding user using the cookie. Eg: redisHelper.get(req.cookies.jwtIdentifier) This will give you back the JWT token that you can then use across your application for that specific user.
Hope it's clear, let me know if you have any questions with this implementation ;)
You might try using client side facebook authentication as described here
https://theinfogrid.com/tech/developers/angular/facebook-login-angular-rest-api/
in this case in angular app you have facebook token alongside your app token and you can send them to your backend to identify the current user.
on backend part you eill call facebook to get profile data from accessToken and then store user profile id and depending on your business you might need also to store the access token
I have set-up a basic site using nodejs and and jwt access tokens. Everything works fine but I'm having trouble working out the flow when a user first comes to the site. With cookies you already have that data stored in the browser so you can know if a user is logged in upon arrival and can route them accordingly. But with JWT tokens it's different. When someone types in URL and the request hits the server it doesn't have that access token until the page is returned and you retrieve the token.
I have some ideas of what I can do, but I want to make sure I'm doing it properly. What is the proper way to handle this? Is it simply to return the page, retrieve the accesstoken then make another ajax call to the server to verify the token and then route them accordingly? That seems like the logical solution, but maybe I'm wrong.
I am making an app that returns a music playlist based on a user’s age. The user does not need need to log in to their account; they only need to provide their age. I also have no need for a database, so I decided that I want to make the application front-end only.
In order to make requests to Spotify’s API, I need an access token which I get via client credentials, because the user doesn't need to login using that flow. However, the script I used to get the access token must be run from the server-side, which I discovered here: Access-Control-Allow-Origin denied spotify api.
The alternative solution is to use the implicit grant flow, which will allow the script to be run client-side but will require a user to log in. So, both the client-credentials and implicit grant flow don't solve my problem.
How can my web app get an access token so that I don't need to implement a server-side or have the user log in?
Although the idea is different, I want to do something like this person is doing # http://sixdegreesofkanyewest.com/. No one logs in, yet he is able to get an access token and send api requests on their behalf. And I don't really see why that website would require a database either.
If I do end up having to develop a back-end, then I would be able to use client-credential flow. But, how would my back-end send the access token to my front-end without a DB?
Any help is appreciated. Thank you!
Implicit grant is recommended for javascript based application, who can not keep secrets safe. So you may have to strike out this option.
Having a server page, (hope the credentials kept safe in your server), then server app sending the request for token and rendering the page..
I guess that is what the http://sixdegreesofkanyewest.com/ will be doing.
So your option is server pages application. or an intermediate API call to get the access token for you and continue your application logics