I have developed one application using MERN stack. It is working properly in a single. I am facing the following issue while using it :
Steps:
Login to the System.
Open a duplicate Tab after login.
Logout from the Original Tab.
Go back to the Duplicate Tab and Perform any action. Instead of logging out from System the user is able to perform the operations.
Provided that "TOKEN" is deleted from "localstorage" when I logout from the original tab.
I am using REACT, REDUX, NODEJS, MONGODB, EXPRESS
My main question is that how user is able to hit the api without authenticating.
I think you should try the following steps:
Check whether you are always fetching token from local storage or you are storing it in some variable in react due to which even after deleting the token from local storage your service might be able to access the token.
Make sure the token is deleted from the local storage.
Check the network tab of browser console for request header and body for the token being sent or not.
Related
I’m having trouble figuring out how to get Node.js backend tokens into React.js frontend local storage. To login a user will use their credentials though an external websites API using the Oauth2 flow, this will be the only way to login into the application.
Currently, the user clicks a button which opens a new window in the authorization URL where the user will grant privilege. Once granted, the user is redirected to the backend endpoint which goes through passport.js and gets the required access and refresh tokens sent from the external API. This is then stored in a session on the backend database. What I want, instead, is to not store a session on a database but instead implement JWT and store the user’s data in local storage. With the current flow, its just not possible to do this and I haven’t found the right documentation to work it out.
There are many websites that implement it the exact way I want but tracking down the way they do it has appeared to be a challenge in on itself.
So instead of using passport.js, which was causing a plethora of issues, I decided to implement the Oauth2 flow myself. Instead of doing ALL the work in the backend, I broke the flow into different parts.
Originally, I sent the user to the backend where they would recieve an authorization token there. This turned out to be troublesome, instead, request an authorization code on the front end. For example, send the user to the Auth path and redirect the user back the the front end once privileges have been granted. Wait at the frontend callback for a code, once obtained, send a post request to the backend with that code and any other data in the body.
When obtained at the backend, trade that code for the access token and respond to the post requst with the neccassary token and any other data that needs to be sent back e.g. profile name, picture, date of birth. You can the implementn the JWT flow and no database is required to store any session or tokens, all can be stored client side securely.
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
I'm new to Python, but have previous experience writing .Net web apps.
I'm working on a website written in Python using Flask-WTF (html pages with forms and individual routes for GET and POST requests). The app makes calls against a Python Flask API that talks to a MySQL db for user authentication (user table with names and hashed passwords). Everything the user sees is handled by the web app UI, and all the logic is handled by the API.
I followed Miguel's Mega-Tutorial (https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world) to learn the basics of the Python language and how to solve a number of problems along the way.
I need my users to log in once a day (set tokens to expire every 12-24 hours or so), but then have access to the app to perform whatever actions they need. I have a Login form that grabs username/password and submits that to an API endpoint. The API verifies the user data against the db, generates JWTs (access and refresh tokens), and writes them to cookies in the response. I am able to see that the cookies are set in the web app after the initial login and verified the contents using https://jwt.io. The only thing I need from the user login after verification is the username for when a user makes a change to database entries.
The Problem: How do I actually use the info in the cookies to call subsequent #jwt_protected methods in the API? When I add the #jwt_required to a post(self) function and try to access it I'm getting back a 401 with { "msg": "Missing cookie "access_token_cookie"" } that appears to be coming from the jwt_flask_extended library. I used "access_token_cookie" as the name of the cookie for the JWT token. Are the tokens magically handled by FlaskWTF/flask_jwt_extended and I'm just using it wrong? Do I need take the info out of the cookie and add it as a header on subsequent requests? If I send the info in a header, how does the API know where to look? I have a feeling it's something minor where I'm just not connecting the obvious dots.
I'll create a standalone app to test out just the authentication features between UIs and APIs that can be shared as opposed to trying to rip out existing code minimize the existing app and api to the bare minimums in case anybody else comes across a similar problem. This might also show me what my problem really is.
The final version of the app and api will both be hosted in a Cloudfoundry environment in case that has any bearing on suggestions.
I'm developing a web application which will require users to login before they can use the app. I've looked into using the Azure Active Directory as the resource which I will authenticate against, however I'm having trouble understanding how to set things up.
I've logged into the Azure Portal and have created my Active Directory. I've also added my custom Web App to the Applications area, and provided the App Login URL and APP ID URI. Now I have been given my Client ID and Federation Metadata Document Url, but I have no idea where to go from here.
Could someone provide an example of how I take the username and password which they enter in my login form and submit that to Azure, receiving back a result which would indicate success or failure? Or is that not how it works?
Any help is greatly appreciated. I don't need any other information from the Active Directory other than confirmation that YES, the username and password matches and let them in.
The web application is coded in ColdFusion as per the client's request, and it is hosted on their server.
Thank you!!!
UPDATE
Using the directions found here https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx I have been able to successfully request an authorization code by logging in using an Active Directory account. After I log in, the system redirects me back to my web application, and has a long url code variable, along with a url session_state variable. My question now is, what do I do with this information from my web app?
Using the directions found here
https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx I have
been able to successfully request an authorization code by logging in
using an Active Directory account. After I log in, the system
redirects me back to my web application, and has a long url code
variable, along with a url session_state variable. My question now is,
what do I do with this information from my web app?
If you look at the picture in the link you mentioned, there are 6 steps.
What you have done so far is performed step 1 and 2. Now you would need to perform step 3 and 4 i.e. get an access token using the auth code you have received.
Please see the section titled Use the Authorization Code to Request an Access Token in the same link regarding how to do it.
As part of Step 4, you will get an access token back. It is essentially a JWT token. Not sure how you would do that in Cold Fusion, but you can simply decrypt/parse (for the lack of better words :)) this token to get information about the user.
Given that you only want to find out if the user is authenticated successfully, I believe if you have received the code you're good. You don't have to do anything more.
I have managed to create an iOS app that successfully authenticated the user and connects to the Nest structures and device settings. Using the access token, the app connects automatically to the Nest server each time the app is launched.
However, I am unable to find any documentation that explains what procedure to follow if the app needs to provide the functionality to enable log on/off for different user accounts, e.g. monitoring devices at different locations under separate user accounts from the same app.
The only way that I can change the login for a different user at this time is when I delete and re-install the app, which is not practical.
Does anyone have a suggestion as to how to solve this issue?
Your help is much appreciated.
You'll want to just create a routine for getting the access token that can be reused. The login is part of the authentication process in retrieving an access token.
Once you have an access token, there isn't any open session per user account so there isn't a need to logout. Instead, just reuse the same method that got you the first access token and store as many access tokens as necessary.
Each access token is effectively a session id.