I am having a problem that I cant auth to Jenkins when sending api requests, because I cant set the basic auth header, as it is already used to pass the htaccess basic auth.
I am not the maintainer of the project and the jenkins, so I cant remove the htaccess auth, or add my ip to allowed. How can I still get authenticated to send requests?
Related
I have a setup of Mongo, Express, ReactJS, NodeJS. My app requires users to log in and then they can do certain actions. Each user get a temporary JWT token.
I want to allow an external WordPress website to send me an array using a POST request.
I've figured out how to do this (using CURL) but my app rejects any requests without a JWT token.
Thing is, I don't want users from WordPress to log in so they have a token. I need a token for the wordpress site. I need some "secret key" so that the WordPress site will be authorized to speak to my app.
So, In my app I created new routes like so:
app.use('/api/external', externalRoutes)
const { getExternalOrder } = require('../controllers/external')
router.post('/', getExternalOrder)
but right now, anyone get send POST to /api/external. So I want to add a "secret key" to make sure it's a verified request.
If the communication between the WordPress site and your application is server-to-server communication; can you use client credential flow where the WordPress site obtains an access token from your IDP using client credentials i.e. client id and client secret...
Other options:
HMAC & shared secret - I've actually done this approach with
WordPress talking to protected external routes.
basic auth
client certificates
I'm in need of some advice on what's the best method I can use so that the routes on my server are only accessed by certain users.
My server has some simple routes"/example" and I'm using Express JS to write these routes. The people who will access these routes are a few and they will mostly be doing it from terminal with a curlcurl 123.45.678.901/example but I want to make it secure so that only a certain group of people can access that route.
What should I do? I'm new with this so I was looking into maybe adding a custom header to the curl but I don't know how to check in the route for that custom header and then I thought that might be too simple so I'm wondering if there's a better way that giving the users a "password". Grateful for the advice!
You need to require a credential in order to access the protected routes. The credential can be in the form of a token or password in a custom header, in a query parameter or a token in a cookie.
It's best not to put security credentials in query parameters and obviously, you should be using https to protect the credentials during transport.
If the route is only accessed via CURL, then a custom header containing the credential is probably the most straightforward way to do it.
For express on your server, put all routes that require auth on a specific router and have middleware that verifies the credential before passing control to the routes.
I have a API in Express.js that will create blog posts and add them to my database. When I make a request from my React app inside of DevTools it will show my JWT. I am worried that when my site goes live people can see my token and make a request from their site to add unwanted posts. Please tell me what is going on and how I can prevent the security error.
When you send a request with a token in the header it will look like this in the header pane in Developer Tools:
I assume that's what you are wondering whether is safe or not.
The connection between the React app and the API is unencrypted when you are using ordinary HTTP. That makes a replay attack possible – an ISP or another server between the front-end and the API can read the token and pretend to be you later on with the read token.
The most important solution to that is to use HTTPS, which is encrypted HTTP. Potential attackers are unable to sniff and steal the tokens when you are using HTTPS. When you are dealing with usernames, passwords, etc., you should always use HTTPS.
HTTPS is free to use and not very hard to set up. See here for more details. There is also an interesting discussion here that you might want to read.
it's possible to see the JWT on the Chrome Dev tools because you are sending it as authorization header when creating a new blog post on your API, and you are making this request directly from the React application.
If the JWT is sensitive it should never be available on the front-end, you must have a server acting like a proxy, it should receive the request from the React application and then forward the request with JWT as the authorization header to your API.
Doing that you would avoid leaking the JWT, but it would still possible for someone to make requests to your proxy, which will be forwarded to your API.
If you want that only your react application be able to perform requests to your proxy, you could create a middleware which verifies the IP address of the incoming request (more details here), if it matches with your React app address then you accept the request, otherwise, you return a non-authorized error.
If you want only specific people to be able to create blog posts, then you should put authentication on the react application.
I have two websites, one is wordpress and other is angular/node. How to login wordpress site useing same credentials as angular site. We don't want the user to create another account in wordpress. We should manage this for angular site. How to implemented this scenario.
You can use JSON Web Tokens. The JWT Authentication plugin will allow you to log in from your JS app.
You make a POST request to /WP-JSON/JWT-AUTH/V1/TOKEN with the username and password to get the token (if the credentials are correct), and each time you make a request to the WordPress site you add Authorization : Bearer [token] to your request header.
I am trying to create a very small node server that can do a few calls to another external API that uses oAuth2.
I'm going to store the credentials to login into the external API on the server so I can do all the steps to get the access tokens and bearer tokens without any user/client-side login/ui.
The server is just acting as a middleware/bridge to the external API, so that not all of the API is exposed.
Goal is to just have a website that GET call to nodeServer without any authorization and then the nodeServer does a request to external API with authentication and returns data to nodeServer and then website. I don't want to any user login.
Steps I need to do with external API to get authentication:
Get Auth Code https:// auth.bullhornstaffing.com/oauth/authorize?client_id=client_id}&action=login&username=XXX&password=XXX
Get Access Token
https:// auth.bullhornstaffing.com/oauth/token?grant_type=authorization_code&code={auth_code}&client_id={client_id}&client_secret={client_secret}
Get Bearer Token and RestURL https:// rest.bullhornstaffing.com/rest-services/login?version=*&access_token={access_token}
I have tried to using Simple-oAuth2 and Passport but I can't get them to work without needing a client login ui and redirect. Also the external API doesn't like localhost/127.0.0.1 redirects.