So, I have a site running on Laravel 5.8 that serves an API for client auth, let's call this 'core'. I have another laravel site of the same version with no database implementation, let's call this 'app'. It connects to the core via Passport and everything is working great, from registering a client to logging in and out. I have followed Laravel's documentation for this.
While this is working for all '/api' routes. How can I use this authentication for 'web' middleware routes? I need to be able to create a session for 'web' based on the 'api' credentials and be able to authenticate the user from that.
I have read about Laravel's Guard but haven't really dig into it, is this the right way?
Related
I've built my backend using MongoDB Atlas, Express, and Node JS and deployed it to Heroku. Using Postman, the app is operating properly so far (users are getting added and I'm receiving the json web token correctly).
But I'm thinking that this might not be correct because it seems like anyone with access to my Heroku URL and routes can easily create a new user, receive the json web token, and basically operate their entire app using my backend.
My questions are:
Am I missing something huge about how I've built my backend?
How do I go about securing my backend so that only my apps can access the backend?
You can use Passportjs to protect your routes, passport will be your middleman between person accessing the back-end and your actual back-end.
You can give access to the routes if a valid JWT is passed (JWT strategy) otherwise it will throw 401 (Unauthorized).
There are 400+ strategies available, I will recommend JWT one because you are already generating JWT.
Protecting backed is integral part because most of scripts can disable security on front-end leaving apps vulnerable to attacks.
I have simple html,css and js frontend and node.js backend.Im using firebase for authentication at backend.Now how can I protect or authorize some routes.
If any one tries to access a route(say dashboard) without proper authentication then he must redirect to login page or any error message page.
What's happening in your server's firebase instance itself it's being authenticated instead of returning the authentication data to the client. What you should be doing is returning the client authentication token on the request. There's a section covering server authentication here
https://firebase.google.com/docs/auth/admin/#custom_token_creation
Still issue?
https://firebase.google.com/docs/auth/web/google-signin
I have created an angular 2 application. Now, these are the requirements for windows authentication.
1) If any user within the organization access this application, he should not get the login prompt and should be able to login directly into the application.
2) If any specific user within the organization tries to access the application, then he should get the specific role(Like admin, Manager) and able to login directly.
3) If any user outside the organization tries to access the application, he should get the login prompt.
Edit: Backend will also play the significant role. I have created rest API using node js and express. So will this passport package help in my case? I have implemented the passport.js on my node js rest API, but now how to validate that thing on the angular side.
Any help will be appreciated and bounty awarded.
For this to work the back-end will be your primary point of call, passport.js (Implemented in your node.js not your client) will allow you to do a lot of the heavy lifting but will still require some fundamental changes to your web server.
You are looking to implement IWA (Integrated Windows Authentication) here, if you wish your client to know which roles the user has the way I would suggest would be to create a API on the server side that returns these variables as part of its response (then take them and store them somewhere for your angular2 to use).
For example you could have /authCheck return { role: [], username: "Username" } and if the user is not authenticated return a 401. This way if the passthrough IWA fails you can handle the 401 response by directing a user to the login page.
I am currently developing an API project using ClaudiaJS API Builder to build and deploy it on AWS Lambda with it's endpoints exposed on AWS API Gateway. I am planning to have at least a webapp and a mobile app for this platform, so I'm focusing mostly everything on API's, including the authentication methods(signup, signin, logout, verify account, ect.).
Unfortunately, as I am not using Express in this project, I can't find a good way to build these auth methods since every library I find has some dependency on Express (e.g PassportJS).
My initial thoughts for the login workflow are:
User submits login form containing user/pass stored in PostgreSQL
DB.
Front app calls auth API.
API method compared credentials against the user DB (Using BCrypt).
In case of success, API method generates JWT containing a few user details on it's payload and returns to the consumer app.
Is there any good approach for achieving this goal without using Passport and/or Express? Are there any other libs for this purpose or should I just use a regular db query and generate a JWT in case the evaluation succeeds?
Thanks for everyone in advance.
Best regards,
Enrico Bergamo
I have created a connected App in salesforce end, and using passport saml to provide SSO to several nodeJs applications based on expressJs.
SSO is working fine.
However when I logout from salesforce, I can still login to the applications.
I believe that this has something to do with cookies. Is there any way to watch a salesforce cookie and logout when it is invalidated?
Or is there any way to send a call from salesforce to one of my routes when a logout is initiated?
You can validate the auth token(salesforce or whatever) before serving the static files.
However, if you are building a SPA, then you will need to validate the session in the frontend code(which runs on the browser) as well.
Otherwise, your approach will not work when the browser performs caching and when you are saving data to the browser's local storage from your SPA.
The solution is to validate the salesforce auth token before serving the web application from NodeJs. In other words, the NodeJs backend application will validate the corresponding salesforce session using the salesforce sessionId token received when logging in using the jsforce.connection.login interface. If the session is no longer valid, the passportJs session should be invalidated using req.logout() method