I've been working on using the MERN Stack to build my web apps, and the only way that I have found to connect to Mongo is using an API. I want to make sure my users' information stays private. So how would I go about doing that? Is it possible? If not, how should I connect React to my database?
Thanks for reading, and I'm sorry for any unclear information. I'm new to this and don't know how to convey my problem.
It doesn't matter if you are using the MEAN or the MERN stack. Authenticating APIs is pretty standard and for the most part, has been answered here on stackoverflow:
Please go to this link:
REST API Authentication.
What you are looking to do is using the OAuth authentication standard. There are organizations that provide these services. Auth0 and okta are examples.
Related
--First time poster, mods please let me know if the question is inappropriate/incorrect--
Situation:
I'm working on an app with friends. We have a dedicated frontend layer and a dedicated nodejs server running MongoDB. I am trying to integrate firebase into our server layer so we can login users and handle minting/verifying/refreshing tokens using Firebase Auth.
Problem:
I'm completely lost as to how to use Firebase Auth for this purpose. I've looked through the docs extensively, I first went down the "Getting Started with Firebase on an App", until I realized (I think) that guide was specifically for web applications without a dedicated backend.
Then I looked more into Firebase Auth Admin, which looked more like what I was looking for. I tried messing with custom token creation and other authentication related matters but I fail to be able to log in.
I reached out to friends for help, they recommended getting local login/googleauth working End-to-end using firebase before trying to secure our tokens moreso than they already are.
I'm very lost and not sure if I'm misunderstanding something fundamental or just not applying the right things. I apologize if this is unclear, I'm just trying to allow email/password login using firebase auth to securely authenticate with my MongoDB data (if that's even necessary)
Any guidance would be appreciated!
You're absolutely right with your approach and its possible to use Firebase Auth for just login/signup and rest of all on mongoDB.
There are 2 ways u can implement the Firebase Auth-
Using the sdk provided by Firebase
Using the Admin Auth API
Which ever way you selected, Later on save your UID on your custom Backend (Which is backed by MongoDB)
Just create your API's to verify user identity.
If you're using NodeJs you can follow this tutorial.
I feel like I am wanting to do something that is either easy, or very wrong. Not sure which one yet.
I am wanting to build an application that is backed by Firebase for:
Authentication
Realtime Database
I will build an Angular2 Front end Single Page App using AngularFire2. Using AngularFire2, the user will authenticate using GoogleAuthentication provider. The Angular2 app will interact with the firebase realtime database directly under most cases.
But I have some cases that I want a NodeJS/Express REST API layer todo more complex business logic and interact with FireBase Database. What I want to have happen is when the user authenticates with AngularFire2 that the accessToken can be used on the API calls to NodeJS in the HTTP Header. Then inside the NodeJS Firebase SDK I just authenticate using that token.
How would you go about doing this? I've been digging through documentation for a while now and still haven't figure it out.
Took lots of digging, but I found the solution. I hope this is a useful thread for others to find.
The accepted answer at: Answer gives a good lead to this. Specifically look at:
Authenticating your privileged workers
Emulating users or limiting access from a server process
Validating client identity via security
I ran across this Node.js example, which makes me think that it is possible, but when I tried to setup the example locally, it doesn't seem to do anything. It would seem to me that it would not be possible, as the login for most of these services, like Facebook Connect and OpenID, require a redirect to the provider's site, then a redirect back to your site.
What I am trying to accomplish in the long-run is to develop an application using a combination of PhoneGap with a Node.js restful backend. I am not integrating with Facebook, other than to use the login credentials. I have to admit that my understanding of OAUTH, OpenID, and Facebook Connect is rather novice. I would like to have my PhoneGap application simply send over the credentials and have my Node.js authenticate them.
Yes this can be done. I believe the server-side code handles the redirect. Here is a good explanation of the solution.
I am making an API in NodeJS that 'll be used by a website and iPhone native app at the same time.
There is a chance that API URL will be exposed to user when used in javascript for website. I only want authorized access to the API. Don't want anyone call API via console. like user/delete/[user-id], anyone can use this URL to delete a user.
Check out http://passportjs.org/
There are plenty of authentication strategies to use. Don't reinvent the wheel here. ;)
I am a complete beginner, and have just started learning about web development. Now I am asking myself some questions regards REST API: Does it make sense to secure a REST API with authentication? If so, what are the common ways of doing this?
I am under the impression that REST API's are precisely there because we try to enable many different users to access them. Now I would like to write a small application which makes requests to a node.js server and gets some stuff back. All via REST API.
However, I do not want others to be able to make similar requests to that server though. How would I best secure this? Am I misunderstanding something big time here?
Not authenticating the REST APIs means you are allowing everybody to hit your REST endpoints. It is a better practise to authenticate REST APIs and allow only certain users to access the APIs. The link might help you to have a start.
It is super simple: when you provide a service, most likely, you only want to allow certain, authenticated users to call that service. In other words: it is possible to have rest services that work without any kind of authentication - but is rather the exception, not the rule.
The more common approach is that, say a hotel only allows people with a key to enter rooms. Same story for services ...
And there are many ways to do that, see here for a starting point.
Authentication is important for REST APIs because you only want certain users to access your data via GET api and/or be able to make modifications to your database via POST api.
JSON Web Tokens(JWT) is the most commonly used authentication framework. Here's a very basic tutorial about how to authenticate node js API with JWT.