I have a simple crud task manager backend. How can i separate the data between the users? For example if one user in one device adds a new task the second user can see, delete and update that task. How can i separate the users without making a login? I searched for a bit about sessions but i don't think that's what i want in this case.
I guess you can create a uuid whenever someone comes to the page, and save that uuid in user local storage in order to manage the records.
I am trying to implement expiring to the activation link I send to the user's email when they register a new account.
The link should expire after 24 hours if the user doesn't click on it.
Up until this point I am able to send the link to the user's email upon registration, the link looks like this 'http://localhost:3000/auth/activate/${verificationKey}', everything works smoothly.
But like I said, I want the link to expires after 24 hours and I just don't have any idea of how to do it.
From what I've gathered so far I think one way to do this would be to delete the verificationKey value from my User entity/model after 24 hours, then if the verificationKey value is falsy I need to send another link to the user.
Now my question is, how do I check if a value (in this case user.verification_key) has been generated for over 24 hours?
This is the relevant code to register a new user:
const user = new User();
user.username = username;
user.password = await bcrypt.hash(password, salt);
user.is_verified = false;
user.verification_key = cryptoRandomString({
length: 10,
type: 'url-safe',
});
Some people have suggested to use Redis for this, which I don't know anything about other than it's a in-memory store, and while I'm ok reading more about this tool, I would like to know if there are other ways to do this. I don't know if by installing Redis I would need extra configuration for the server when I host my app, I'd like to avoid that.
Since you already have some database set up, it makes sense to store some verification key and an expiration time for it. You don't need to actually delete that verification key... just need to store when it expires.
Perhaps you have a separate model for RegVerificationKey, with fields key (randomly generated string), expiration (set to a date/time 24 hours after you create it), and userId (the ID of the user this is associated with). Create this key. When you go to activate, just check to see if there is a key associated with the requested user that hasn't expired yet.
Some people have suggested to use Redis for this
No need here, you already have a database you can put data in.
I would like to know if there are other ways to do this
There's an alternative, where you cryptographically sign your URL. Basically, you would store the key and its expiration data in the URL itself, and include some calculated proof that you (the person with the private key) created this URL. When your system receives this URL, it can verify the URL was signed correctly without even having to consult a database. This method can be complicated and probably isn't useful in your case. I'm just mentioning it here as an alternative. Check out JWT for one possible implementation: https://jwt.io/
Recently I was needed to implement this kind of implementation in my web application. So I just followed the below points to achieve it.
1- Create the URL (web link) and append the current date and time along with an encrypted key which you would store in the database as mentioned below.
2- Create a column in the database table (the table where you store any user specific details) to store a randomly generated key which you have encrypted and appended in the URL.
3- When you would receive this URL on server you would check the encrypted date and time in the URL and would decide whether it is still valid depends on your criteria of retaining a link (e.g. 24 hours)
4- Next you would decrypt that key in the URL that you have appended in it at the time of creating it and would match it with what you have stored in the table.
So by implementing above logic you could achieve the desired functionality.
Hope its useful for any one who wants similar type of implementation
I understood that you already found a solution, by storing two fields in the database: one for the key and another one for he expiration timestamp. Everything depends on the use cases and it is definately one way to do it. However I will explain Redis and JWT as a solution in comparison to yours.
Redis is an in-memory datastore (that also allows persistence to disk) as you pointed out and I think the reason why people suggested it is, that you can define an expiration time for a record. Redis will remove that record automatically for you then. Reference: https://redis.io/commands/expire
Redis would take the work off of your shoulders to check if the 24hrs already passed. If you can’t fetch the key anymore, the key probably expired. Another benefit of Redis is, that is super quick compared to your normal database query. But if you only need it for the activation link, which is a one-time-action for the user, the time benefit is negligible. Also you would introduce a new technology just for that use case.
#Brad already suggested using JWT (Json Web Token) instead of implementing your own token solution and I would also suggest that for the following reasons.
A JWT is a self-contained token consisting of three parts: Header, Payload, Signature. The header contains the name of the algorithm that was used to create the token. The paylod contains some standardized fields (e.g. creation date, expiration date, subject the token was issued for like username) and you can also add custom fields. The third part is a signature that ensures that no one changed the payload after it was issued by your token service.
Self-contained means that the token contains everything to validate it, including the expiration timestamp. In your case the expiration time is not part of your token but stored in the database. If you create another microservice that needs to verify your token, that service needs to contact your main service which contains the logic to check the expiration database field.
With JWT the Microservice would only need to know the secret key that was used to sign the token and then you can just import some standard JWT library to verify the token. These libraries validate the signature as well as the expiration timestamp which is an optional field in the payload of the token.
By the way, the payload can be read without knowing the secret key from the signature. So it is even possible to read the payload for example on client side to check the expiration time.
With your solution you have additional database calls, which are potentially slow. For an activation link that is acceptable, but for tokens with recurring use within a short timespan (i.e. API requests that require authentication) additional database calls should be avoided. Also you need to implement token generation and verification yourself, whereas JWT provides standard libraries. This is a benefit when you want to have another Microservice in Java instead of NestJS for example. You can quickly knit them together by using standard libs instead of porting your implemtation or being forced to decide for a centralized token verification service.
One limitation of JWT you have to workaround yourself, is the use case where you want to have a „one time token“. You can only define an expiration date but you can not say that a token can only be used x times. Here you need a centralized service again, which keeps track of how often a token was used (by making use of some datastore) and all other services around need to contact that service.
A good starting point for JWT with NestJS is the official NestJS documentation.
I'm setting up a website using Node.js Express and MongoDB that allow user register and login and it's work nice and no issue with it. But now i want to generate multiple login code (something like a coupon code) with an expiration date so user can only use it once. and if the login code expired, user cannot login anymore. Is there a way to do that?
I was looking authentication strategy on passportjs but i cannot find any of it.
Thank you
For setting this up with mongo with a schema like { createdAt: timestamp, code: string }
Create a unique index on code so that you can't create the same code twice. In client-side code, you'll end up needing to retry creating some codes. (You could instead pre-generate codes & put them into a queue and pull them off, but that sounds a little bit more complicated)
Add a TTL index on createdAt for expiration to automatically remove the documents. If you instead want to "expire" the documents but track that the code used to exist, you'd need to manually check the timestamp.
When a code is used, you'll want to delete it (or mark it as used).
You'll likely want to include some sort of rate-limiting by ip so that people can't brute force codes.
With passport, you'll want to specify a "custom" strategy. With a custom strategy, you can do anything you'd like to set up authentication. Passport-js How to create a custom strategy has a little bit of guidance.
I am sending a transaction ID as a link via email, using this link anyone can search for the details of transaction happened in my system. I would like to enforce expiry time for the link, say for 1 month link should work and post 1 month, link should expire.
I am using nodejs for implementing my software. I would like to send only transaction ID as the parameter for creating the link.
I planned to combine Transaction ID and expiry_timestamp and encode/encrypt and send the encoded/encrypted data as the parameter in the URL. Later when link is clicked and request is received to server, I should be able to retrieve the expiry_timestamp and compare it with current data and decide to proceed or no. Here if Iam sending timestamp in plaintext, user may change the timestamp and request, so I am planning to encode or encrypt it.
Please suggest some cryptographic techniques for implementing this.
Thanks in advance.
You can do this by following way.
Create another column name something like token
Store expiry date and time on another column as you are already doing this.
Pass token as a query string that has been stored in DB rather than the timestamp.
when user click on the link you can check either validate or not using token (query string)
You can use this( https://www.npmjs.com/package/rand-token) package to generate tokens.
I am following a tutorial to create a web app to do user authentication (signup/login): https://scotch.io/tutorials/easy-node-authentication-setup-and-local
I was wondering how I could add validation to the signup part. Let me clarify. I will be selling a product to users. People who buy the product will receive a 128-bit HEX key with the product so that they can register it.
I have a list of, let's say, 1000 of those keys that I generated. How can I ensure that the user registering is inputting a valid key? (a previously generated one) I am pretty sure I would have to put those keys in a database, but what next?
Thanks
Simple. Store the key reference along with the user(since they bought your product I am assuming you have their details previously) in a table or a document or any other. So that you can validate that the key is valid and allowed for that user in a single lookup. It has nothing to do with the tutorial mentioned. HEX key can be anything a coupon for example.
Cheers.