Users CRUD operation on own data and persist logs in database - jhipster

I have two problem:
persist logs in database as default and show logs in admin page.
What is the best solution in jhipster to each user or admin uses data is relevant to that user?

Related

Using a MongoDB Atlas database; how does one set up user accounts, if a user account/password is required to access the DB? (Node, express, mongoose)

Alrighty, so I have a MongoDB Atlas database set up, containing several objects. My current API has several get, post, put and delete end points which are working correctly. However, I am in the process of setting up user accounts and I am a little confused.
My project is built with React on the front end and my server is built with Node, express and mongoose. My goal is that of your typical web application and is as follows:
Go to main web app URL
Home page is a login or "create an account" screen.
Once logged in (or an account is created and you sign into it) you will then have access to get, post, put and potentially delete (if an admin) objects in my DB.
I have built a very basic sign-in, sign-out and "register an account" server which is working however, I am confused as to how to properly go about integrating this with the rest of my API. I currently have the server connecting to my Atlas DB using what is provided in the "connect" menu in the Atlas dashboard (without the < >)
mongodb+srv://<username>:<password>#<cluster-name>.ntwp5.mongodb.net/<collection-name>
Obviously, the username and password (which I can set in my Atlas dashboard) needs to be passed into the "username" and "password" fields in-order to connect to it. I was planning to use the same cluster and have a separate collection for users and my data.
What's confusing me is that in-order to connect to the MongoDB server above and gain access to the two databases, I need to pass in some username/password. However, in order to create an account (ie, creating a new username and password), I would already be utilizing a username and password to connect to the server.
So say I have a group of people in the same company using this application. Would I essentially have a single administrative username/password used by everyone to connect to the server URL? From there, users would be able to access the "users" collection and create an account. Do I then setup my existing API routes (which point to my collection of data) to check that the "signed-in" user exists before returning a successful request and access to that collection?
Or perhaps, the proper way is to use two completely separate databases; one for users and one for my data?
Sorry, I am new to working with Databases and I think the above makes sense to me but I want to verify if that is the correct way to go about handling this. Thanks!

Postgres: Log user actions from api level

we are searching for a way or a mechanism to log user actions on our Postgres database.
We already have PGAudit (https://github.com/pgaudit/pgaudit) in place, that logs all activities on the database but we don't have the information what api user (enduser) are doing the actions.
Our API is an simple NodeJS / ExpressJS setup. Nearly in every route we know what user is doing the action. Is there any way to include a user-id in the query and then implement logging on user-level? For the database connection we using pg-promise.
What is the state of the are way to do such kind of logging?
Thanks for helping!

Node Express Backend. How to manage mongodb connections? Mongodb users or collection of users?

I am developing a frontend with ANGULAR and backend with Node and Express. Is a simple backend for internal use in my company with a small quantity of users: 15-20. The backend connects to Mongodb. The mongo server is started with authentication and I can create users with built-in roles in mongo: read, write, etc.
But all the examples I found in tutorials usually creates a collection of users instead of using the mongodb built-in users.
As far I know, if use built-in mongo users I need to start a new connection for each user because the user and password is part of the Connection String URI
I have some doubts:
Is it a bad idea to use built-in users?
If I use built-in users. How to manage the logout of the user? I don't find examples.
"Users" in this context is usually connections to the database.
Lets say you have a database with data serving several applications. One which only has access to read the data, and another to write and update. You can make sure the read only app, wont write with 2 users of the database. Typically, you'll also have an admin user that has global all access for administrators.
When your coworkers wish to update some data through the second application. The application will authenticate to the database and write on their behalf. Whether or not someone has access to use the application to update data is not something the database should decide.
I hope this helps to understand the context of "user"

Restrict user access to some docs in CouchDB

I am very new to the CouchDB world! I have a database that can be read by all users, and also can edit the docs except for the design docs. Is there a way I can make a specific user edit only the doc that was created by him/her. I am using CouchApp nd the jquery.couch.js plugin
CouchDB doesn't have per-document permissions, only per-database permissions. If you grant write access to a user, he has write access to all the documents in the database.
Assuming you avoid making all users admin and that you use CouchDB's build-in authentication mechanism, I think that's the default behaviour.
For creating regular users, see Creating regular users in CouchDB.
For more details about how the user authentication and authorization actually works, see Security Features Overview, specifically the section below "Authentication database", which outlines the built in rules in CouchDB.
Only admin users can create new users, but there's nothing stopping your from having a program logging in and doing it automatically (using an admin user, this is assuming you are looking for some kind of "Registration" process where you would do for instance email validation through some other software of yours).

CouchDB Authorization Logic?

I did read http://guide.couchdb.org/draft/security.html and
and the previous question
CouchDB Authorization on a Per-Database Basis
and
http://wiki.apache.org/couchdb/Security_Features_Overview
I am currently using Apache CouchDB 1.2.0 and via futon the adding an admin result in
adding a user at _users for example
_id
org.couchdb.user:stackoverflow
_rev
1-b9f223532b662d4ac52d14082d81e6a5
name
stackoverflow
password
null
roles
[ ]
type
user
So the first question is why the admin is added as type user and not admin is puzzling. This users are admin as they can do anything in any database and the role is empty BUT I did protect the _users document with
["admin"]
roles as the only members and only admins can access this (even if their role in the _users document is empty).
This protection does not allow new "normal" users to be created so the futon "signup" command will return Signup error: You are not authorized to access this db.
I think this setup is the only logical one. Why would you want anyone to be able to create a user on your database ??
Even if you specify read access in a db to be only for one admin every admin can access it
(
" admins" : {
"names" : ["guru"],
"roles" : ["boss"]
},
"readers" : {
"names" : ["guru"],
"roles" : ["boss"]
}
}
the above case has no impact on the newly created stackoverflow admin as per above example.
So my assumption is that admins created via futon can do everything and anything regardless. The only confusing logical part is the _users documents where they have no special type (they are users) nor a special role.
So back to the concrete question:
- when adding an admin via futon why is it not marked as admin inside the _users document and how does CouchDB from that document determine that it is a wide system admin?
- if you want to create a normal user WITHOUT allowing them to signup (via futon or direct HTTP Request) you have to protect the _users document. Yet how would you go to create yourself a user to read/write on his own database ?
- As the user (per CouchDB Docs) will have the read/write rights on a DB but not the possibility to create design documents how can he really use it efficiently as views will be needed for anyone developing using the DB?
It should be possible to have a normal, simply multi hosting without jeopardizing security as there is a shared CouchDB offering at http://www.iriscouch.com/ so I just don't understand how logically you would structure a simple service where a user has his own database and can do anything but just on this database. As the admin role is anyway "user" how would you distinguish them from a non admin in the _users table ?
Why is the admin added as a normal user and not an admin?
CouchDB is similar to Windows's Active Directory, or Unix NIS and LDAP: most users have "normal" accounts, however the admin account (e.g. Windows "Administrator", or Unix "root") does not use the normal accounting system, but rather a much simpler system (the local.ini config file).
If the account and authentication system ever has a problem, you can still log in as the admin and fix it.
Do I need to add the "_admin" role to a user?
No, the admin role (the role "_admin") does not come from the user's document, but only from the configuration, in the "admins" section.
How come all admins can read the database?
By creating an admin in the global configuration (either editing the local.ini file, or using Futon's "Configuration" tab, or clicking the "Fix this" link in Admin Party), you created a system admin. System admins have access to all data, always (similar to Windows Administrator and Unix root).
CouchDB supports database admins which are normal users. Those users have admin access only to a database, not to anything else, such as other databases, or the server config. Database admins are set in the "Security" section, by adding a user's name or role to the "Admins" lists.
The concrete question: - when adding an admin via futon why is it not marked as admin inside the _users document and how does CouchDB from that document determine that it is a wide system admin?
When adding an admin via Futon, two things happen
A normal user is created (with no valid password in fact)
The same user name is added to the system configuration "admins" section. GET /_config/admins/the_username to see it. (That's what Futon's configuration tab does.)
In other words, CouchDB does not know it is a wide system admin from the document but rather from the config. If you delete that config entry, the user is "demoted" back to a normal user.
Side note about Iris Couch
It can be a little confusing at first, but the CouchDB user and security system is pretty simple and powerful once you learn it. But each Iris Couch users have entire CouchDB servers. If you sign up, you have an account at Iris Couch, but you have an entire CouchDB server to use. Inside that server, you can create multiple users for your own applications.

Resources