I write a signup webpage with nodejs, and in this webpage, I use ajax to call the function signup like this
$.ajax({
method: "POST",
url: "/signup",
data: { tel: tel, password: password}
})
And in app.js, the signup function like this
.post('/signup', async (ctx) => {
//do something
})
And now everyone can call the signup function with the url http://domain/signup without visiting the signup webpage, I think it's a mistake, I only want the local program can call this function, how can I fix this?
Typically it's either API Keys for doling out general access, or IP-based restrictions at either the application or network level.
API Keys are a token that identifies and authenticates an endpoint. You can also use it to track usage and/or ban abuse. For example, see Google Maps' documentation about using their API. Then all API calls have that key:
https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap
This allows the server to parse the key, check against it's key database or whatever, and allow access. You'll need to use HTTPS for this if it's over any public network.
IP or other network restrictions are easier to setup and best when you have a 1:1 relationship with your API. That is, your application alone accesses this API, and you control all the servers, etc.
Related
I have 2 microservices, MicroserviceA is a core service including authentication and authorization
services and other APIs services.
MicroserviceB includes several other APIs (not including authentication and authorization)
MicroserviceA include some API likes this:
localhost:3000/api/login (by JWT)
localhost:3000/api/postA
localhost:3000/api/getA
localhost:3000/api/deleteA
localhost:3000/api/pushA
MicroserviceB include some API like this:
localhost:3001/api/postB
localhost:3001/api/getB
localhost:3001/api/deleteB
localhost:3001/api/pushB
My front-end only calls only 1 based url is: http: // localhost: 3000, so I do like that, to communicate between 2 microservices,
I am using axios to call from core MicroserviceA to MicroserviceB
So in MicroserviceA, I have the following APIs:
localhost:3000/api/login (JWT)
localhost:3000/api/postA
localhost:3000/api/getA
localhost:3000/api/deleteA
localhost:3000/api/pushA
localhost:3000/api/postB (axios call)
localhost:3000/api/getB (axios call)
localhost:3000/api/deleteB (axios call)
localhost:3000/api/pushB (axios call)
But the problem is that when I want to call some APIs from MicroserviceB,
I have to call it from MicroserviceA. Is there any way that frond-end dev
only needs to authenticate once but can call APIs independently from
MicroserviceA and MicroserviceB without having to call twice as my way?
MicroserviceB will also need to implement JWT authentication. It doesn't need to implement the login method, you have MicroserviceA responsible for that, it only needs to validate the token. As long as both MicroserviceA and MicroserviceB share the same secret the token can be validated on both.
Your main protection is your application's secret used to sign the tokens. This is essentially your private key so ideally use some algorithm/password generator to generate it and make sure nobody else have access to it.
Ideally your JWT token would include some way of linking to the user in its payload such as the user id or email etc. With careful planning it's even possible to not need to make a database request to fetch the user - your endpoints should be able to use the JWT payload to identify the user/role/permissions etc.
Say for example microserviceA implements a /login endpoint that returns the token in a JSON response. So to login you'd do something like:
fetch('/login', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: 'email=' + email + '&password=' + password
})
.then(response => response.json())
.then(result => {
localStorage.setItem('jwt', result.token); // save token somewhere
});
Then to make a request to microserviceB you just need to add the authorization header:
fetch('http://microserviceB.com/do/something', {
headers: {
'Authorization': localStorage.getItem('jwt')
}
})
.then(processResponseFromMicroserviceB);
You can validate the jwt token in microserviceB the same way you did in microserviceA but you don't need to implement the login part.
I've seen that when using ADAL.js, you cannot get group membership claims due to some URL limitation.
https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/239
I am using oauth-bearer authentication from the frontend, that is, the frontend triggers a login via the AD login page.
The client then pass the access token to the backend.
What I want to do:
I want to filter some data in my backend endpoints depending on group membership.
e.g. if you are a member of group "London" in AD, you should only see things related to London in our DB queries.
Super simple using e.g. Okta or Auth0, not so much with Azure AD.
I also want to accomplish the same thing on the frontend, that is, show and hide menu items depending on group membership.
(All access is still checked on backend also)
The documentation is sparse and not very helpful.
"You should use Graph API".
How?, how do I talk to graph api using the token I get from the frontend?
This is the setup I have for my Node+Express endpoints:
app.use(
"/contacts",
passport.authenticate("oauth-bearer", { session: true }),
contacts
);
How, where and when should I call the graph API here?
Our system is super small so I don't mind using session state.
Can I fetch this information when the user logs in?
How should that flow be? client logs in, once logged in, call the backend and request the groups?
When you get the access token from Azure AD after the user logged in, you can find the group membership of the user by doing a GET request to https://graph.microsoft.com/v1.0/me/memberOf with the access token like this:
function getGroupsOfUser(accessToken, callback) {
request
.get('https://graph.microsoft.com/v1.0/me/memberOf')
.set('Authorization', 'Bearer ' + accessToken)
.end((err, res) => {
callback(err, res);
});
}
This sample assumes you are using the NPM package superagent.
And the required permissions to call this API are listed here.
I have an on-premise ASP.NET Web API that's querying on-premise data. The plan is for the client web application to call an Azure Function which will deal with authentication (Azure AD B2C) and validating the request before actually forwarding the request to the on-premise API itself (over a VPN).
The API is generating Hypermedia links that point to the API itself. This works nicely when querying the API directly as each of the links helps in the discovery of the application.
This API is currently in use locally within the organisation, but we now need to expose it so it can be consumed over the web. We don't want to expose the API directly, we'd rather route it through a Function App that can authenticate, validate and perform any other logic we may need.
The question I have is, how would you translate these URLs to an endpoint in the Azure Function? i.e., I would really like the consuming web application to be able to use these Hypermedia links directly, and have the Azure Function route them to the correct API endpoint.
In an ideal world, we'd have the links exposed on the client, which would map to the resource. As the API isn't exposed, how do we route it via the Function App?
It sounds like what you want is for Azure Functions to operate as a reverse proxy.
One trick to achieve this is to have one HttpTrigger that catches all traffic that hits your function application. You can do this by setting the properties route: "{*uri}" and methods: ["get", "post", "put", "patch", "delete"] in the function.json. You can add additional HTTP methods to the methods list as necessary. These should catch all requests in the form "https://{app-name}.azurefunctions.net/api/*".
The code below is a rough outline of how you could achieve the redirect from your function app to the unexposed API. In it's current representation, the relative URI path after /api/ will be redirected to your unexposed api with the exact same body request.
using System.Net;
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
//Validation logic here
string actualUrl = "{hosturl}/";
string proxyUrl = "https://{app-name}.azurewebsites.net/api/";
req.RequestUri = new Uri(req.RequestUri.ToString().Replace(proxyUrl, actualUrl));
req.Headers.Host = req.RequestUri.Host;
using(var client = new HttpClient())
{
return await client.SendAsync(req);
}
}
You can now generate all of your Hypermedia links pointing to your function hostname, and they will be properly redirected.
NOTE: If you expect many instances of the function to spin up (i.e. a high concurrent usage of your function), then it is possible that you will run into SocketException errors as documented here.
I need an event that is being fired whenever something changes on my google sites site.
There is an XML feed with all the latest changes. I am planning on polling this feed with Zapier and when something changes Zapier will make a http request to a url that I provide so I get my event.
This works fine as long as the site is public, but in my case it is not.
So I think about building a proxy for the feed that google provides. The proxy will call the feed with the proper authentication and pass the contents. Zapier will call the proxy with a Zapier friendly authentication mechanism.
I figured that I need to call the google feed with a service account. So how do I do that with node.js?
I have been looking here:
https://developers.google.com/google-apps/sites/docs/1.0/developers_guide_protocol#ActivityFeed
Figured it out!
I have made a proxy with basic authentication that is accessed via https. This proxy will pass through the activity feed of the Google site that I am interested in.
I built the proxy in node.js with the googleapis module. Here is a piece of the code I use:
var jwtClient = new googleapis.auth.JWT(
client_id_email,
__dirname + 'key.pem',
null, ['https://sites.google.com/feeds/'],
'user#domain.org'
);
jwtClient.authorize(function(err, token) {
if (err) return next(err);
return rest({
path: 'https://sites.google.com/feeds/activity/{domainName}/{siteName}',
headers: {
"GData-Version": "1.4",
Authorization: token.token_type + ' ' + token.access_token
},
params: {
domainName: 'domain.org',
siteName: 'site',
},
}).done(function(result) {
res.set(result.headers);
res.send(result.entity);
}, next);
});
The username (user#domain.org) in the example is a user that the service account impersonates. This user must have acces to the site.
I put the service account key in a file name 'key.pem' in this example.
Now you must allow accesd to the service account for the domain you want to access. You do this on the admin site of the domain (admin.google.com).
Go to security
Go to advanced settings
Go to API client access
There you have to add the client_id of the service client
And now... it works :-) !!! \o/
I have an iOS which uses OAuth and OAuth2 providers (Facebook, google, twitter, etc) to validate a user and provide access tokens. Apart from minimal data such as name and email address, the app doesn't uses these services for anything except authentication.
The app then sends the access token to a server to indicate that the user is authenticated.
The server is written in Node.js and before doing anything it needs to validate the supplied access token against the correct OAuth* service.
I've been looking around, but so far all the node.js authentication modules I've found appear to be for logging in and authenticating through web pages supplied by the server.
Does anyone know any node.js modules that can do simple validation of a supplied access token?
To the best of my knowledge (and as far as I can tell from reading the specifications) the OAuth and OAuth 2 specs do not specify a single endpoint for access token validation. That means you will need custom code for each of the providers to validate an access token only.
I looked up what to do for the endpoints you specified:
Facebook
It seems others have used the graph API's 'me' endpoint for Facebook to check if the token is valid. Basically, request:
https://graph.facebook.com/me?access_token={accessToken}
Google
Google have a dedicated debugging endpoint for getting access token information, with nice documentation, too. Basically, request:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={accessToken}
However, they recommend that you don't do this for production:
The tokeninfo endpoint is useful for debugging but for production
purposes, retrieve Google's public keys from the keys endpoint and
perform the validation locally. You should retrieve the keys URI from
the Discovery document using the jwks_uri metadata value. Requests to
the debugging endpoint may be throttled or otherwise subject to
intermittent errors.
Since Google changes its public keys only infrequently, you can cache
them using the cache directives of the HTTP response and, in the vast
majority of cases, perform local validation much more efficiently than
by using the tokeninfo endpoint. This validation requires retrieving
and parsing certificates, and making the appropriate cryptographic
calls to check the signature. Fortunately, there are well-debugged
libraries available in a wide variety of languages to accomplish this
(see jwt.io).
Twitter
Twitter doesn't seem to have a really obvious way to do this. I would suspect that because the account settings data is pretty static, that might be the best way of verifying (fetching tweets would presumably have a higher latency?), so you can request (with the appropriate OAuth signature etc.):
https://api.twitter.com/1.1/account/settings.json
Note that this API is rate-limited to 15 times per window.
All in all this seems trickier than it would first appear. It might be a better idea to implement some kind of session/auth support on the server. Basically, you could verify the external OAuth token you get once, and then assign the user some session token of your own with which you authenticate with the user ID (email, FB id, whatever) on your own server, rather than continuing to make requests to the OAuth providers for every request you get yourself.
For google in production, install google-auth-library (npm install google-auth-library --save) and use the following:
const { OAuth2Client } = require('google-auth-library');
const client = new OAuth2Client(GOOGLE_CLIENT_ID); // Replace by your client ID
async function verifyGoogleToken(token) {
const ticket = await client.verifyIdToken({
idToken: token,
audience: GOOGLE_CLIENT_ID // Replace by your client ID
});
const payload = ticket.getPayload();
return payload;
}
router.post("/auth/google", (req, res, next) => {
verifyGoogleToken(req.body.idToken).then(user => {
console.log(user); // Token is valid, do whatever you want with the user
})
.catch(console.error); // Token invalid
});
More info on Authenticate google token with a backend server, examples for node.js, java, python and php can be found.
For Facebook, do an https request like:
const https = require('https');
router.post("/auth/facebook", (req, res, next) => {
const options = {
hostname: 'graph.facebook.com',
port: 443,
path: '/me?access_token=' + req.body.authToken,
method: 'GET'
}
const request = https.get(options, response => {
response.on('data', function (user) {
user = JSON.parse(user.toString());
console.log(user);
});
})
request.on('error', (message) => {
console.error(message);
});
request.end();
})
In production for google you can use:
https://www.npmjs.com/package/google-auth-library
const ticket = client.verifyIdToken({
idToken: ctx.request.body.idToken,
audience: process.env.GOOGLE_CLIENTID
})
To get info about token from Google use, be careful vith version api
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token={accessToken}