I have simple html,css and js frontend and node.js backend.Im using firebase for authentication at backend.Now how can I protect or authorize some routes.
If any one tries to access a route(say dashboard) without proper authentication then he must redirect to login page or any error message page.
What's happening in your server's firebase instance itself it's being authenticated instead of returning the authentication data to the client. What you should be doing is returning the client authentication token on the request. There's a section covering server authentication here
https://firebase.google.com/docs/auth/admin/#custom_token_creation
Still issue?
https://firebase.google.com/docs/auth/web/google-signin
Related
When a user logs in, I store the login variable in redux but when we hit the api request then firstly react.js checks the authentication using redux if loggedin then the node.js checks the authentication and returns the api.
Isn't it unnecessary using authentication on both sides? Why can't I just use authentication on server side only?
Your thoughts please on what should I follow.
I think you need not to authenticate both side. You have to just send token in headers (authentication) of every API and create middleware for authenticate user for API in nodejs.
there are multiple ways to implement authentication in you're front end projects though the most common way to do this is by using JWT (json web tokens) however for using this type of authentication you need to implement OAuth, OpenID connect or similar authentication service on you're backend .
ps: I recommend storing you're login credentials in cookies
I have an Angular 10 Universal project that uses JWT retrieved from localhost in order to authenticate requests for private routes.
I currently use this project for the authentication process:
https://www.npmjs.com/package/#auth0/angular-jwt
The problem I believe I am facing with Angular Universal is that when rendering pages that require authentication my requests are unable to retrieve the JWT token from localStorage. Note, this is what I think the issue is because I get a 401 unauthorized on these requests and have done some reading.
Is there any way to authenticate these requests using the JWT token that is returned when a user logs in to the website?
Backend is .Net Core 2.1
Can you save JWT to cookies after receiving it? In that case JWT will be sent along with the request, so it can be processed on server side.
Also, i think it would be nice to set this cookie with secure flag, so it can't be accessed from js in case of xss vulnerability (so it cannot be sent to 3rd party service)
In my frontend, the user logs in using Firebase Authentication Browser. That part works perfectly fine. In addition to Firebase backend, I also have NodeJS backend that serves additional content. However, I need to serve the content to only Authenticated user.
My question is: Is there a way for my NodeJS backend to know that a user has been authenticated when they make a request?
An authenticated client is issued an ID token that uniquely identifies the user. The client can get this this token using the provided API. Then, it can pass that token to external APIs, which is verify the token using the Admin SDK.
My client application is a SPA built with REACT-REDUX and back-end API is nodejs with express framework.
Problem is in my client application people can access information without login
so how to authenticate my client application without actually login to my server API.
I tried to use Auth0 but for Single page web application authentication is done only through login, there is an option for machine to machine but that is not suitable to my case because my client app is static web app no server to save client id.
i have studied few articles to get over from this most of them suggest implicit grant is suitable for my case if its true how to implement implicit grant in my client and server.
I have achieved this using JWT
Provide the client a JWT token on successful login which he will have to use in header every time he needs to use API.
then every other request use a middle-ware to verify this token, if valid let him continue or else send auth failed in response
I have created a connected App in salesforce end, and using passport saml to provide SSO to several nodeJs applications based on expressJs.
SSO is working fine.
However when I logout from salesforce, I can still login to the applications.
I believe that this has something to do with cookies. Is there any way to watch a salesforce cookie and logout when it is invalidated?
Or is there any way to send a call from salesforce to one of my routes when a logout is initiated?
You can validate the auth token(salesforce or whatever) before serving the static files.
However, if you are building a SPA, then you will need to validate the session in the frontend code(which runs on the browser) as well.
Otherwise, your approach will not work when the browser performs caching and when you are saving data to the browser's local storage from your SPA.
The solution is to validate the salesforce auth token before serving the web application from NodeJs. In other words, the NodeJs backend application will validate the corresponding salesforce session using the salesforce sessionId token received when logging in using the jsforce.connection.login interface. If the session is no longer valid, the passportJs session should be invalidated using req.logout() method