I'm working on an application, building front end using angular and back end using node JS. For authentication, since we have to go with windows authentication, i chose Node-sspi as it is simple to implement and found it effective. Below i'm posting a simple code similar to the code i'm working with.
var http = require('http');
var port = process.env.PORT || 8080;
var express = require('express');
var app = express();
app.use(function (req, res, next) {
var nodeSSPI = require('node-sspi')
var nodeSSPIObj = new nodeSSPI({
retrieveGroups: true
})
nodeSSPIObj.authenticate(req, res, function(err){
res.finished || next()
})
})
app.use(function(req, res, next) {
var out =
'Hello ' +
req.connection.user +
'! Your sid is ' +
req.connection.userSid +
' and you belong to following groups:<br/><ul>'
if (req.connection.userGroups) {
for (var i in req.connection.userGroups) {
out += '<li>' + req.connection.userGroups[i] + '</li><br/>\n'
}
}
out += '</ul>'
res.send(out)
})
app.listen(port, function(){
console.log('server is listening on port '+port);
})
console.log('Your application is listening on port '+port);
When i browse this on local, i'm able to do the authentication part and can see the landing page.
the problem is when i deploy it on azure or on IIS it is keep on asking me for the authentication.
Please let me know how to achieve windows authentication using node-sspi on IIS and Azure.
As far as I know, it's not possible to use windows authentication in Azure web apps. App Service PaaS VM instance(s) can't be domain joined. This is the reason why you always ask you login in.
Azure Active Directory is the best option. Sync from AD to Azure Active Directory is also quite easy to setup.
If you still want to absolutely use Windows auth and host your website on Azure, you can create Windows VM and host your website there. You then need to join the VM to your AD. To do this, both VMs must be in the same network.
Please add the site to Trusted sites:
Related
I have a custom domain added that I added to App Engine. For example, let's say my custom domain is "example.com".
My app is served with Node.js, and I when I deploy my app through App Engine, it gives me this address to access to it:
"example.appspot.com".
How do I prevent this? I want to serve my app only on "example.com".
SOLVED: I'm using this middleware to prevent those hostnames and it works, at least for what I kind of wanted:
var redirect = function(req, res, next) {
if (req.hostname.search('appspot') !== -1) {
res.redirect(301, 'https://www.example.com');
next();
}
next();
};
app.use(redirect);
How do I manage API (HTTPS) certs in DEV vs PROD in express on a node/ angular environment deployed to Windows IIS? I've seen proxy rewrites mentioned on this but I'm not sure how it is managed on express side.
I know in PROD, IIS and rewrites in web.config help manage cert for front end, but most of the tutorials I see for https on express require hard coding a self signed cert and including it in build. In PROD I have an official signed cert on server that I will use on port 8443 and not sure how that changes code, see below:
const express = require('express')
const app = express()
const https = require('https')
const fs = require('fs')
const port = process.env.PORT || 8443;
app.get('/', (req, res) => {
res.send("IT'S WORKING!")
})
const httpsOptions = {
key: fs.readFileSync('./security/cert.key'),
cert: fs.readFileSync('./security/cert.pem')
}
const server = https.createServer(httpsOptions, app)
.listen(port, () => {
console.log('server running at ' + port)
})
On a separate, but related note, how does my API service in Angular change to call the backend API for Dev vs PROD. I'm guessing something like this which IIS would re-route to PROD domain?
private API_URL: string = 'https://localhost:8443/api/';
I've seen proxy rewrites mentioned on this but I'm not sure how it is
managed on express side.
It does not need managed on express side. Express does not need to know about the certs that IIS injects.
In PROD I have an official signed cert on server that I will use on
port 8443 and not sure how that changes code
Express does not need cert in prod, IIS bindings handle that. So in server.js code only include httpsOptions if on dev and inserting self signed cert.
On a separate, but related note, how does my API service in Angular
change to call the backend API for Dev vs PROD. I'm guessing something
like this which IIS would re-route to PROD domain?
Angular CLI should provide you an environments folder with environment.prod.ts and environment.ts files which will swap the variable values they hold based on build type. Simply add a variable in both for different urls for express to call when sending requests. Your prod url will not be localhost and instead should be the actual url the user will access in production.
! I have implemented a WebApp and SQL-DB.
added custom domain and SSL certificates (which bought at CA).
for SSL offloading purpose we configured an azure application gateway.
with all setup.
next, we configured azure traffic manager so that traffic manager decide active web app routing.
our concern is when I adding the CNAME record for traffic manager in GoDaddy it is routing to WebApp, everything is great.
but when I search "xxxx.com" Digwebinterface it shows all connections to WebApp
in this, I took the traffic manager CNAME record and added to another domain then the duplicate domain also accessing all my content of the website and even create a record in SQL also.
in this scenario I losing my website restriction unauthorized domain can map site
any suggestion and insights it would be grateful to
thank you
The simple way is to create a filter in your code for inspecting the host of headers of request to allow or deny the accessing from different domain.
Here is my sample code in Node.js with express.
const express = require('express')
const app = express()
const port = 3000
const allowedHosts = [`localhost:${port}`]
var domainFilter = function(req, res, next) {
if(allowedHosts.includes(req.headers.host)) {
next()
} else {
res.status(403).end()
}
}
app.use(domainFilter)
app.get('/', (req, res) => res.send('Hello World!'))
app.listen(port, () => console.log(`Example app listening on port ${port}!`))
It will allow the request from localhost:3000 and deny the request from 127.0.0.1:3000 or others, as the figures below.
Fig 1. Allow the request from localhost:3000
Fig 2. Deny from 127.0.0.1:3000 or others
Hope it helps.
I've read a tonne of articles on the web and looked at a tonne of questions on stack overflow related to the following, and they all provide basically the same solution which I am unable to implement due to security issues with my company.
I am trying to deploy a NodeJS app to a secure windows server without IIS. I'm not even sure if this is possible - there is very little support about deploying node apps to windows, and what support there is says to use IIS and iisnode together. To add to the complication, my company will not give me the key to the main SSL certificate of the server.
I have access to the server/cert store/certificate, but I can't export its key. Just wondering if there is a way to have server.js point to just the certificate instead of both the certificate AND the key?
I've tried to access the certificate and extract the key via https://www.npmjs.com/package/win-ca but haven't had any luck with this.
I was able to use a self-signed certificate and get everything working, but you need to accept the self-signed certificate in your browser which isn't a viable solution for production.
I've also looked into using nginx, let's encrypt, etc., but windows support for those isn't that great either.
Here is my code which works, but like I said, I need to accept the self-signed cert client side which isn't ideal:
const express = require('express');
const app = express();
const https = require('https');
const http = require('http');
const fs = require('fs');
const options = {
//self-signed cert, I'd rather point this to the main cert for the server
//but I don't have access to the key
key: fs.readFileSync('cert.key'),
cert: fs.readFileSync('cert.pem'),
};
// Create an HTTP service.
http.createServer(app).listen(80);
// Create an HTTPS service identical to the HTTP service.
https.createServer(options, app).listen(443);
app.get('/', function (req, res) {
res.send('Hello World!');
});
In the end I removed all the certificate and security related stuff from my server.js file and just put the website behind a load balancing proxy server.
I'm quite new to Firebase and slightly new to Express and I'm having a difficult time trying to use the authentication process Firebase offers.
I have this route, but everytime I click the button that triggers the route, I get this error This operation is not supported in the environment this application is running on. "location.protocol" must be http, https or chrome-extension and web storage must be enabled.
I'm pretty sure web storage is enabled, but I'm quite unsure how to fix the location.protocol. What am I doing wrong?
Here's the route:
app.get('/auth/facebook', function(req, res) {
const provider = new firebase.auth.FacebookAuthProvider();
firebase.auth().signInWithPopup(provider)
.catch(err => console.log(err));
});
Here's the full Firebase app
Try this piece of code.
var provider = new firebase.auth.FacebookAuthProvider();
Auth.$signInWithPopup(provider).then(function(authData) {
// success
}).catch(function(error) {
// error
});