I am developing 2 related websites which are public website and CMS.
Currently I have an api for registration which is POST /users
It takes 3 fields which are username, password and permissions.
There are 3 permissions:
-Superadmin (having all access right)
-Editor
-Member (only having view access right)
Both of these users can login CMS.
In my public website, viewers can registration as Member using above api.
E.g. The parameters will be
{ username: 'ken', password: '12345678', permissions: 'member' }
What if some hackers simply open Postman and send api request with below parameters
{ username: 'hacker', password: '12345678', permissions: 'superadmin' }
In this situation, the hacker can create an account with "superadmin" permission and can access all of my secret Data in CMS.
What is the most secure way to handle this kind of api?
Related
I have registered a new Azure AD app for login functionality in existing vuejs and nodejs projects.
And I successfully set up login and logout functionality using #azure/msal-node npm package.
Now, I want to get the directory details after the user login to store that directory details in my local DB.
I have read many documents but didn't find any working solution. So, Please help me and share good documentation links that could be helpful for me.
After login, success get this response from Azure AD: https://i.imgur.com/7fvzNiG.png
Note:- I am referring this document: https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-webapp-msal
• By following the given documentation link for creating a nodejs webapp using #azure-msal, you can get the details of the signed in user through the token claims details shown in the output/results page wherein you can view it through the ‘View ID token’ link. Thus, when the details are shown, you also have an option to export these details to a database configured of your choice. But for this purpose, you will have to ensure that your node js application is integrated with Azure SQL by delegating the application created in Azure AD, the required permissions for that concerned SQL database by allowing access to it and retrieve the details from it accordingly.
Thus, you can also configure the token details to be exported from the directory in MySQL DB by configuring the same in your nodejs app as described in detail in the below link. An excerpt sample from the link is given below for reference: -
In models folder, create User and Role data model as following code:
models/user.model.js
module.exports = (sequelize, Sequelize) => {
const User = sequelize.define("users", {
username: {
type: Sequelize.STRING
},
email: {
type: Sequelize.STRING
},
password: {
type: Sequelize.STRING
}
});
return User;
};
https://www.bezkoder.com/node-js-jwt-authentication-mysql/
Would also suggest you to please refer the below SO community thread for further reference: -
MSAL Integration in React + .Net App For all Microsoft Users (Without registering or Inviting the User)
I have an application that used the Cognito user pool for authentication and authorization. I want the admin to login into the system without going through email verification. but all end users must go through the passwordless sign-up sign-in process.
my question is can I use the same user pool to implement both use cases or do I need to use separate user pools for admins and end-users?? I also would like to know whether it's possible to use same login endpoint for both admins and end-users
Thanks in advance!!!
You should really include a code sample and what you've tried so far, but I had to work with Cognito recently so I think I can give an answer anyways.
If you're creating both users via AdminCreateUser, you would use this payload to create a verified email for the user. Keep in mind, having a verified email is separate from having a confirmed account. You can call this admin endpoint to confirm users: (https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-confirm-sign-up.html).
UserAttributes: [
{
Name: 'email',
Value: email
},
{
Name: 'email_verified',
Value: 'true'
},
]
I'm trying to create a stripe connect account using my firebase functions backend when the user signs up but keep getting this error Express accounts may only be created via the OAuth flow I know the error seems self-explanatory that I need to use the standard OAuth registration method but in the Documentation it states that custom types can be created by the API and presenting the OAuth for every user who just wants to send funds and not receive is just annoying am I doing something wrong for the API not to create it? Or is there a workaround to not have to show the OAuth for users who just want to send funds?
exports.createStripeCustomer = functions.auth.user().onCreate(async (user) => {
const customer = await stripe.customers.create({email: user.email});
const account = await stripe.accounts.create({type: 'custom', business_type: 'individual', individual: {email: user.email}, requested_capabilities: ['card_payments', 'transfers'], email: user.email});
return admin.firestore().collection('stripe_customers').doc(user.uid).set({account_id: account.id, customer_id: customer.id});
});
Express Accounts and Custom Accounts are distinct types of accounts when using Connect. You can create Custom Accounts using the API, but Express Accounts must be created via OAuth.
The main difference is that Express Accounts have access to the Stripe Dashboard and can be updated in some ways by the end user, while Custom Accounts are entirely managed by the platform.
The issue seems to be being caused by me not specifying the Country in the stripe.accounts.create function. Once I did it created the account.
I have a jhipster microservice named as blog and a jhipster gateway.
I have created a entity named "Farmer".
I have Created below two users in keycloak.
Users:
Pradeep and
Rahul
1) FOR ROLE_ADMIN
2) For ROLE_USER
While Accessing enitity in Admin panel in jhipster gateway, I am getting unauthorized error for admin (Pradeep), whereas for user (rahul) I am able to access entity.
PFB screenshots.
i) Admin Panel Home Page
ii) Admin Entity Page
When admin tries to click on farmer entity below is the error I am getting.
iii) User Home Page
iv) User Entity Page
When user (rahul) tries to access farmer entity he is able to access it.
Please let me know what could be the issue.
Admin users should also have the ROLE_USER role in order to access entity page. This is because the entity routes are secured by default to the ROLE_USER role.
For example, notice the authorities array in the bank-account.route.ts from the sample app:
{
path: '',
component: BankAccountComponent,
data: {
authorities: ['ROLE_USER'],
pageTitle: 'jhipsterSampleApplicationApp.bankAccount.home.title'
},
canActivate: [UserRouteAccessService]
},
I am trying to access calendar events using the Microsoft Graph API (https://graph.microsoft.com/v1.0/me/calendarView) on node.js following this permissions guide but I receive the error response :
{
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "7c2...",
"date": "2016-07-13T21:19:11"
}
}
The call was made with using :
request({url : 'https://graph.microsoft.com/v1.0/me/calendarview', qs : queryParams, 'auth': {'bearer': token}}, function (error, response, body) {
...
});
The request has a valid token and the call to .../me/ via
request({url : 'https://graph.microsoft.com/v1.0/me/', 'auth': {'bearer': token}}, function (error, response, body) {
...
});
returns :
{"#odata.context":"https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id":"<valid_id>",
"businessPhones":[],
"displayName":"<valid_name>",
"givenName":"<valid_name>",
"jobTitle":"<valid_title>",
"mail":"<valid_email>",
"mobilePhone":"<valid_cell>",
"officeLocation":null,
"preferredLanguage":"en-US",
"surname":"<valid_name>",
"userPrincipalName":"<valid_email>"}
So I am assuming this is an issue with permissions set on https://manage.windowsazure.com/ where I created two applications, one for the node server and one for the web client application. I am using passport for authentication and the client id and secret for the web client application.
var AzureOAuthStrategy = require('passport-azure-oauth').Strategy;
passport.use(new AzureOAuthStrategy({
clientId: config.live.clientID,
clientSecret: config.live.clientSecret,
tenantId: config.live.tenant,
resource: 'https://graph.microsoft.com/',
redirectURL: config.live.callbackURL
},
function(accessToken, refreshToken, profile, done) {
Here is what I set for "permissions to other applications" on the node application:
Windows Azure Active Directory :
Delegated Permissions
Read all users' full profiles
Sign in and read user profile
Microsoft graph :
Delegated Permissions
Have full access to user calendars
Read user calendars
(see below)
Delegated Permissions
Access
Here is what I set for "permissions to other application" on the web client application:
Microsoft Graph :
Application Permissions
Read and write calendars in all mailboxes
Read calendars in all mailboxes
Delegated Permissions
Sign users in
Read user contacts
Have full access to user calendars
Read user calendars
Sign in and read user profile
Office Exchange 360 Online :
Application Permissions
Read and write calendars in all mailboxes
Read calendars in all mailboxes
Delegated Permissions
Read user and share calendars
Read and write user and shared calendars
Read all users' basic profiles
Read user profiles
Read user contacts
Read user calendars
Windows Azure Active Directory
Application Permissions : none
Delegated Permissions
Sign in and read user profile
I'm not 100% on what the relationship between the permissions set within the azure management portal and specific end point access. I have read the API scope article but discussion in that article is a bit too conceptual for my needs.
Ultimately I am trying to access and write events to all reservable resources within a tenant id.
I was able to resolve the issue by deleting then regenerating the application through https://manage.windowsazure.com/ then updating the client id and secret. I was, after the fact, able to remove the native client (node) app from the application list and still make the call work.
And while I did not use the reference https://jwt.io/ provided by Fei Xue, I assume it will be invaluable for debugging azure to API permissions in the future.