User management for Node.js/React - node.js

Our tool is a Node.js server / React client running on a network with no external web access.
We would like to add robust user management including:
User definition (name, password, access level)
Password change
Login/Logout
Is there any open source libraries out there that can supply these capabilities?

Passport js library provides a lot of strategies for authentication and authorization without requiring you to reinvent the wheel. You can use any of the databases to store the user's on the backend like MongoDB, Mysql, etc.
It can also talk to inhouse LDAP or auth server API if you decide to do so. All in all, this sounds like a perfect library for you.
Here is a tutorial https://scotch.io/tutorials/easy-node-authentication-setup-and-local

Related

Couch authentication. New react native project

I'm starting up a new project using Couch DB and a react native front end. I was wondering what is the recommended way of doing user authentication. weather it is setting up users in Couch DB or going through, for example, a node server to process user credentials and get a token for them and whatnot. or if there are any other ideas, I'd greatly appreciate that.
CouchDB authentication system is a bit limited:
You can't revoke sessions
It somehow hard to integrate third party authentication (facebook, google+)
Password recovery/reset is not available by default
Since you're building a client application, you can't implement password recovery on the client side. You'll need a backend service that handle this.
It all depends on your need. You can easily start with CouchDB's auth system and add a auth service on top of CouchDB later.

Restrict usage of Heroku app by Authentication?

I developed my Heroku app that exposes APIs only (no UI) and it works fine.
But how can I restrict the APIs to certain authorized/authenticated users only?
I absolutely need an authentication layer to protect the app APIs and prevent unauthorized accesses. A sort of login(user, psw) call to use before an external system can start invoking my API.
But I don't find any reference in the docs, it only says that these are the main security best practices:
Heroku SSL
Force the use of HTTPS
Trusted IP Range
Any idea?
That's something you'll need to implement at the application layer and not something that Heroku provides. At it's simplest you could implement basic auth in your app so that the user would pass them with their request, a more complex solution would involve user accounts and oauth etc etc.
You could implement all the authentication logic directly in your app.
Alternatively, take a look Auth0, which basically provides you with authentication and identity management as a service. You can easily add Auth0 to your Heroku app as a free add-on via the Heroku Elements marketplace.
They have lots of different use-cases and associated walk-throughs, and they offer a very generous free-tier.
From your requirements, it sounds like you might want to look at Auth0 Machine to Machine applications, using the OAuth2 Client Credentials Grant. With that, your external system(s) would basically need to authenticate with Auth0 using a Client Id and Client Secret (that you could generate in Auth0 and supply to them). Then, they would access your API with a JWT that you could easily validate in your app (Auth0 will provide you with generated code in many different languages for you to do that very easily). Your API will then reject requests without a valid JWT (by sending a "401 Unauthorized" response).
This may all sound a little intimidating at first, but it's really worth going through the relevant Auth0 "quickstart". They really go out of their way to try to make it as easy as possible!

Implement a secured and production ready authentication system in a Node.js server without being tied to a third-party provider

I am used to develop web apps using the Meteor JavaScript framework, which handles authentication. I am now developing for the first time a web app using a Node.js (Express) + GraphQL stack on the backend, with React on the frontend, so I have to handle authentication myself.
I read a lot of things about it, and I like the idea of token based authentication. I am thinking about using JWT, so I don't have to deal with sessions.
I know there are a lot of tutorials, but each one always has a sort of disclaimer like : "this tutorial is not production ready, use it for educational purposes only...". Every time I read something about authentication, it seems to be something so difficult to implement that I shouldn't implement it myself. But I don't want to use services providers like AWS Cognito, Google Cloud Platform because I want to keep my users data in my own system and database. I don't want to be tied to a third party provider.
I know how to generate jwt tokens, refresh tokens, how to verify them, etc... I am able to develop a working auth system, but I am never sure I do it in a secure and production ready way because of all those comments I can read on the Internet.
So, what would you recommend to implement a secured and production ready authentication system in a Node.js server without being tied to a third-party provider. Do you know any complete tutorial or documentation about it?
There are several approaches to implement authentication for an application.
Use a identity server manage by you
Use a fully manage service for authentication.
Use authentication middleware.
Write your own authentication solution.
If you are afraid in vender locking I would suggest to use an authentication middleware like PassportJS which will facilitate the abstraction of authentication strategy with its implementation.
On the otherhand writing your custom authentication can be challenging in terms of security, specially finding snd fixing these vulnerabilities.

Creating login page in angular 5

How to create a login page and check data's in a database using Rest API in angular 5.I am using Node js and Mysql as my database
There are many moving parts to creating an authentication system, and there are simply too many ways to get it wrong: storing plain-text passwords, not salting hashes, not rate-limiting queries, not having a properly configured TLS certificate, et cetera...
As you are not very familiar with these important concepts, it is highly advisable to use a 3rd-party OAuth2 provider in order to provide user authentication.
I repeat: I highly discourage implementing your own login page/fields and authentication methods for limiting database access.
As an example, take a look at this following option of using Google as an OAuth2 provider in your NodeJS application.

I need an authentication / identity server

We need a new authentication server for our large business system (ERP). The previous authentication server was internally developed. Now that we need a new one we will first try to find an already existing authentication server that we can use. Can anyone recommend an authentication server? Remember that this is a business system, so things like Facebook login is not an option. Do microsoft / google or others have any authentication servers that can be installed and run locally?
Seems like you need to store the usernames in your DB, because you do not want to be dependent on 3rd party to store them for you. Furthermore, you do not want to force your users to have accounts in the 3rd party (e.g. Facebook, Google).
So AFAIK, the only option for you is to maintain your own authentication-server...
The good news: you have oauth-2 packages that you can use, and I've written a project that implements all authentication-server flows, such as registration, forgot password, etc.
You can see a demo here.
HTH.

Resources