Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
We are building a mid-sized project. We have React UI and Express backend. For authentication, when user submits his credentials, there is a POST call to backend to authenticate user.
The problem is, we can clearly see the user input in-network calls. This might be a problem. Is there a way to hide this information? How is the industry tackling this situation? Is this fine? I've seen Twitter's authentication flow. It's a bit different. I'm unable to see the data I submitted.
It's completly normal to have an POST request with a content of
{
username: "myName123",
password: "myPassword456"
}
You can see this in almost every service, which requires authentication.
When you do this, make sure your communication with the client is encrypted (HTTPS) so that a man in the middle can't read it.
Don't trust the user - clean the input from stuff that should not be there.
Encode / hash the input by adding something to mix up the logic.
Decode / dehash and verify.
When you encode something with built in feature - like base64 then add some variable to the string that makes it more random.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 11 months ago.
Improve this question
I've been searching how to make a public http request secure and all the answers are to use a token like JWT.
But from what I understand, the reason for using this token. Isn't this to prevent someone from trying to modify someone else's data other than your own?
Then user can still manipulate his own data using his own tokens. Because when you first connect to the app, you will get a token from the server.
That person can modify his or her data at any time. Wouldn't he be able to modify the game points he has at any time? (I actually saw an answer in another answer (which said to make that http call only available once after the game is over))
but if he knows the jwt token and http request url then he still can modify right??
Are JWT tokens used in the worst case to keep someone else's data from being touched?
The JWT token is just used identify the user making API request and checking whether the user is authorized to make that request. When you decode a JWT (Firebase Auth's JWT for this example), you can read user's UID and custom claims, etc.
Passing user ID directly in API requests is not a good idea because they are usually public (e.g. your Stackoverflow ID is 18516895) and easy to guess. So I can just try passing some random numbers/string and might be able to make requests on behalf of someone else. So JWTs are mostly used for Authorization and Information Exchange.
Also checkout: Introduction to JSON Web Tokens
But suddenly I want to raise my stack overflow score. Then just checking the token is not enough for server I guess. right? How do you prevent in this case?
Allowing users to update their score doesn't seem to be a good idea. Instead the score should be done totally on back-end and can be triggered by any action such as user winning the game.
Take Stackoverflow for example, only the person who has asked the question can mark any of the answers as accepted. This is authorization. No one else is allowed to do so. After an answer is accepted, the system updated answerer's score (reputation), so there is no API request that is made from client side to increase score.
The flow could be like:
Questioner accepts an answer
Verify JWT, marked as accepted if owner of question
Increase score (reputation) of answerer
Adding to another case of single player game Tetris where the user directly needs to update server for a win and earn points as discussed in comments, it might be best to send every move to server and run all game win logic on backend instead of checking for win on client and letting users hit a /win API over and over again. If the game is completed, then credit points to user if won.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 11 months ago.
Improve this question
I've been searching how to make a public http request secure and all the answers are to use a token like JWT.
But from what I understand, the reason for using this token. Isn't this to prevent someone from trying to modify someone else's data other than your own?
Then user can still manipulate his own data using his own tokens. Because when you first connect to the app, you will get a token from the server.
That person can modify his or her data at any time. Wouldn't he be able to modify the game points he has at any time? (I actually saw an answer in another answer (which said to make that http call only available once after the game is over))
but if he knows the jwt token and http request url then he still can modify right??
Are JWT tokens used in the worst case to keep someone else's data from being touched?
The JWT token is just used identify the user making API request and checking whether the user is authorized to make that request. When you decode a JWT (Firebase Auth's JWT for this example), you can read user's UID and custom claims, etc.
Passing user ID directly in API requests is not a good idea because they are usually public (e.g. your Stackoverflow ID is 18516895) and easy to guess. So I can just try passing some random numbers/string and might be able to make requests on behalf of someone else. So JWTs are mostly used for Authorization and Information Exchange.
Also checkout: Introduction to JSON Web Tokens
But suddenly I want to raise my stack overflow score. Then just checking the token is not enough for server I guess. right? How do you prevent in this case?
Allowing users to update their score doesn't seem to be a good idea. Instead the score should be done totally on back-end and can be triggered by any action such as user winning the game.
Take Stackoverflow for example, only the person who has asked the question can mark any of the answers as accepted. This is authorization. No one else is allowed to do so. After an answer is accepted, the system updated answerer's score (reputation), so there is no API request that is made from client side to increase score.
The flow could be like:
Questioner accepts an answer
Verify JWT, marked as accepted if owner of question
Increase score (reputation) of answerer
Adding to another case of single player game Tetris where the user directly needs to update server for a win and earn points as discussed in comments, it might be best to send every move to server and run all game win logic on backend instead of checking for win on client and letting users hit a /win API over and over again. If the game is completed, then credit points to user if won.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
First of all, I know that there are some great frameworks like express.js for node.js lovers.
But when I decide to use Koa, I know that I do not know what middlewares I need
for building a simple http web server and even if I could search some middlewares from great examples using koa, there remains some confuses about what middleware should I put first second and...
In sight of newbie, I need some middlewares to
send a static file, (koa-static)
log something, (koa-logger)
cache files, (koa-static-cache)
routes, (koa-route)
and anything else?
and how to order those middlewares?
The concept that running downstream middlewares and yielding upstream middlewares is awesome to me, but I cannot decide orders for my ignorance.
Hope that not very stupid question.
Thank you! :)
Off the top of my head, you may need middleware some of the following :
parsing the request
handling errors
keeping a server-side session
CORS
authentication (oauth etc.)
authorization
performance monitoring
context injection (e.g attach your database connections and environment variables to your request)
'data injection' (e.g the model of currently logged in user)
As for the ordering, I think a lot of permutations are possible, you should just try to state dependencies between your middleware (e.g middleware X should be after middleware Y) and account for them in your ordering. For example, if you don't want to log file calls, the logging middleware should be after the static files middleware.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
We are developing a node.js based API and responding client side website. In future same API will cater mobile apps' requests. The problem is we want to create client side Login for Facebook, Google+ and Twitter.
Login for Facebook and Google are successful but Twitter doesnot allow client side login. Any help on how to implement twitter login from client side is needed.
We cannot use server side Login as it won't work in future when we will integrate mobile apps.
We did not use passport.js as it is server based and responds with server side generated templates. which won't work for mobile apps.
Any suggestions workaround or help is welcomed.
Twitter does not allow sign in from client side. I am sorry there can't be workarounds. You should try some alternatives to work from server end. There are successful implementations of sign in for mobile apps.
May be you need research specific to your needs.
Twitter does not allow client side login. Any help on how to implement twitter login from client side is needed
It's not allowed; therefore you can't do it.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Is this possible to sign document with out using an encryption??
if possible then how ??
Normally we sign document using encrypting user private key with the message and send to other user and other user decrypt this message using sender public key.
but it is this possible without encryption process any other process?
You can make use of hash based message authentication code's (HMAC), or even just hash codes.
For example, you can just hash the document and verify the hash to ensure no tampering occurred. Problem here is managing that hash value, because let's say you pass that hash with the document. Somebody could edit the document, update the hash, and you would be none the wiser.
A keyed hash solves all those problems, but you must properly manage that secret key.