I'm using Amazon Cognito as the authentication system for my nodejs application, and as a security requirement, I have to allow only one active session per user.
One way that I could think to do that is:
User try to log in, so call globalSignOut(params = {}, callback) and invalidate all other active sessions
After invalidate the other sessions, call initiateAuth(params = {}, callback), and return user's authentication tokens.
My question is, there is another way to do that? Maybe a more "official" one?
I'm using aws-sdk for JS
The Above mentioned solution is not working well.
what I am doing to handle single device login
On Successful login. Get the access token and other token.
call globalLogout with the above tokens.
Again call Login initiateAuth and get new tokens and return them to server.
I am able to get the token after 3rd step. but when I try to use it says "Access Token has been revoked".
P.S. I am making sure that above 3 steps happen synchronously but still facing the problem.
There is no "official" way to do this. The method you stated in your question is the best way to implement this.
Related
I am designing api for mobile application.
I am not sure should I have one endpoint login which will return tokens & user profile
Or have two endpoints and after login call getProfile endpoint.
I saw that people mostly use second option but I don't see benefit of that approach?
Thinking in terms of the single-responsibility principle (which basically says "API methods should do one thing really well"), I'd suggest separating these into two separate things:
POST /login would set up a session and return the session ID to be used in subsequent requests.
GET /profile would return profile information provided a valid session ID is provided.
There are obvious benefits along the "happy path" for combining these, mainly the fact that after a login operation completes, you automatically provide the user with the data they most obviously would want next (who the user is). Why waste an extra API call to find it out, right?
If that's all your API will ever need to support, then there's no reason to separate these. But there are a couple cases I can think of for why you might want them separate:
What if an existing and already logged-in user wants to fetch the latest profile information? This means you must support GET /profile anyway (or have them POST /login again which is wasteful).
What if profile information is already cached and the POST /login API call is only happening to re-authenticate the user inside the app to complete an action? You'd be wasting bandwidth by sending data that's not needed.
Additionally, testing is usually a bit easier when you have each API method doing the one thing they imply they do (POST /login logs the user in, GET /profile fetches the current logged-in user's profile).
We have two separate websites which essentially share the same UserAuth data store. We want to provide the user with a link from one to the other without requiring them to login again.
At the moment we currently make a call to the target website's API: /auth/credentials which sets up the session and allows us to then redirect the user, bypassing the need go through the login screen. Great.
As far as I can tell /auth/basic should do exactly the same thing. However, the response from the API call is the same but when redirected the user ends up at the login page.
Have I missed something?
Version: 4.5.8
They are not the same, the BasicAuthProvider enables HTTP’s Basic Access Authentication and is a per Request Auth Provider.
I'm currently sending the client an empty html document with a few scripts included that set up my single page application with react-redux. After everything is set up I'm fetching the dynamic data using AJAX and determine if the user is logged in or not. If the user is not logged in, he will see the products available only for users that are not authenticated and conversely.
Even though I am a noob, this seems extremly primitive to me and I don't know how I can do this better.
So what is the best way to handle authentication in react-redux applications?
Thanks a lot for helping.
There's a few options:
Passport which you can install through npm and it has a variety of strategies you can authenticate through such as Auth0 Link here
Firebase - a solution that google has that can be used as a drop-in authentication module. Link here
Meteor framework - I believe this framework has multi user authentication. Link here
First, for authentification you need to have a token or session id on the client side. So, there should be next steps:
After login, you receive token|session_id from backend and put it to the store and also to the localstorage not to lose it after page reload.
While initializing your app, get the token from localstorage and put it to the store every time.
When you do request for products list, add the token to ajax request (usually in headers).
Based on token, back-end application should returns another list of products.
It is a regular logic for such situations and of course it requires work on back-end side as well.
I'm new with Nodejs and I'm doing a restful server with restify. So, I have a scenario that I have many devices (with unique id) updating data through rest. What I want to do is authenticate them and give a auth token. Something like this:
First time: uri/api/auth -> get Token.
Then: uri/api/product/.... -> with token and updating product
I tried to use restify-node-token but I have no success.
JWT is an authentication method very extended and easy to use, there are many of libraries that implement it. It has several advantages, like the token has user information encrypted in it, so you don't need to access to the DB with each request to authenticate the user.
You can take a look to the code example here https://solidgeargroup.com/refresh-token-autenticacion-jwt-implementacion-nodejs?lang=es
It also implements a refresh token to generate new tokens when they expire.
http://passportjs.org/
This is a library for express.js, but I've very powerful. I'd suggest you'd give it a look. Setting up what you have already with express.js would take very little work.
I work on a Symfony web application which has a standard login form. To allow users to login more easily we want to give them a link which logs them in directly. I've already build a way to get a token to use, but I have no clue as to how the Symfony login process works, specifically how I can adapt it to take a GET/POST token instead of redirecting to the login page.
Any help appreciated!
Oh and this is Symfony 1.2 BTW (and no, upgrading is not an option right now)
Not sure if there are any differences with regard to this in 1.2 compared to 1.4, but in 1.4 I'd suggest taking a look at the sfGuardPlugin's signin() method (or that of sfDoctrineGuardPlugin) to figure out a suitable solution.
$this->getUser()->signIn(... params ...);
That single call will take care of authentication so I think all you really need to do is to resolve your link-specific stuff beforehand (e.g. validate and fetch sfguarduser username & password from db) and then call that method with the user-specific params. Looking at the method will show you exactly what you're passing into it and how it's being used. It's the same one as is being used in the post action of the login form.
Hope that points you in the right direction.
Thanks Tom, what I ended up doing was building a second login module/action (I already had a executeLogin action which basically sets the $this->getUser() and $this->getUser()->setAuthenticated(true) when the username/password is correct) with a token instead of username/password.
Some things to take into account on security: either clear up your token when used in a successful login attempt or set something of an expiration timestamp when creating the token. This way a bot can't 'guess' a token.