I am using Titanium.App.Properties to save user login (username and password) for user to login next time the app is started without typing the login credentials.
My question, is this the best way to do this and whether data saved in Titanium.App.Properties is encrypted and not accessible by any external app.
i think u can using Titanium Backup Root. cause This exhaustive app can save almost anything: apps, application data, messages, system settings, widgets, backgrounds, you name it.
Related
I am coding a Rest API with express and I have a middleware to check if a user is admin or not. However, I wonder how companies assign a new user as an admin? Do they edit the database record and change the role there?. I guess that one admin could make another user admin but how is the first admin created? Is there a way to do it in the frontend?
If it's a software platform (meaning one web address and database for all users of your app) then the first admin user is typically created by running commands on the server command line console to create the right record. Or perhaps by a setup script that is run once. This creates the first admin user, and then that user logs in and creates more admin users via the UI. This typically only ever needs to be done once in the entire lifetime of the project, so no need to have this be a user friendly process.
However, if it's a server you install your own instance of it's common to have a setup wizard, since each new install will need to go through this process, it's worth the effort to make something user friendly. You go to something like myapp.com/setup and then complete a few forms that sets up the first admin user and provides initial configuration and preferences. After this first admin user is setup this setup page would no longer be accessible, so that no other new admin users can be created that way.
Wordpress is a great example of the interactive setup. The end of this video has an example of what that looks like.
Usually when I'm in the midst of building my back-end I'll throw my own name into the user (model) via the users (routes) to test the puppy out.. i use Postman to inject my info into the endpoints points, then keep it there on the (mongo)db.. you could always use atlas to manual insert the user as well.
EDIT: my answer: use atlas to manually input a json file with the admin user of your clients (the company) choosing.
EDIT2: you've got me thinking... there could be an initialization state of the web-app where these things are declared; for example, say yo're creating an accounting management tool, in the first of a company initializing their new software you could request this information.
I'm trying to develop a website for reviewing TV series, and I want to limit the rating for a show to one rating per user, and I kind of have no idea where to start, since I'm very new to web development. I'm using Vue.js on the front-end; Node.js with Express on the back-end.
From what I understand, cookies should not be suitable for this purpose since they can be deleted by the user, am I right?
I've also read about sessions and how they are stored on the server rather than the browser (but I also don't know what sessions are or how to implement them).
There's also the user registration system possibility. So, which one of these methods should I use for this purpose?
If you could also tell me about where to start (direct me to tutorials, code snippets, ..) I would be really grateful. Thanks.
Like said by Mr. Anonymous, you need User Accounts. However you could achieve this using in your case, for example, expressjs/session to create sessions and passport.js for the user authentication part.
Here there is a simple tutorial using these two libraries and mongo-db for saving user data.
If you want implement your own session library (only for learning purpose), you can follow these advices.
You need to use all 3 and if your new to web development this will take you some time to get right. You will need user registration, a login system, and when users log in you will create sessions ( which internally use cookies) and if you want them to login with "remember me" you need to explicitly use cookies.
Sessions
This is how express/your-web-app will remember that a user is logged in. Under the hood its using cookies on the users machine that map to ids stored in memory on your server. Without sessions and cookies your users will have to log in on every page....You don't have to worry about how sessions use cookies yourself. There is express middleware libraries that handle this for you so you just interact with sessions like any other object, but its good to know that sessions internally use cookies. You can find lots of articles expanding on this.
Cookies
You will explicitly have to create cookies if you want to give your users the "Remember Me" login option. If you don't care about that then you can force them to log in and then create a session so they wont have to log in again for 20 mins or however long you want.
User Accounts
User accounts are records in a database that uniquely identify each user. The sessions and cookies all point back to this. That is where your store your users information such as their username, email, and whether or not they have already voted on a TV series. When a user logs in you lookup their identity in your database and if you find one you then create a session so they don't have log in again as they navigate your site for a set amount of time.
Recommendation
Start small. Forget about Vue.js for now and use plain HTML until you understand these basic components sessions, cookies, and how to build a login and registration page. If, and I respectfully mean if, you get that working then you can work on making it look pretty and fancy in the front using Vue.js.
I have a Login screen where a user has to enter its username and password. I always store the password in a variable and send it over to the server. Then I leave the functions context and everything is fine because I have no reference to the valuable information anymore.
But this time it needs to be really secure. When somebody asks me about security in my app and how the app would handle his password, I want to be able to say “Don’t worry. Your data is safe."
So if there would be an hacked app on the users phone which manages it to break out of its sandbox right after my user entered his password and it has been sent to the server I want to erase that part of the memory so the malicious app cannot inspect my threads and just pick the password from.
This question concerns Swift 3.x.
I have thought of deinitializing a wrapper class around the credentials, but would that be enough? How does iOS handle such deinitializations?
Any suggestions on this?
Thanks.
I am developing a small website with a custom admin page that allow to simply modify and insert contents.
This is how it works: in domain.com/admin there is a page with an autentication form. Of course the only user that know the password is the admin (not me, my client). If the password is right, server send an html page that allow to modify the content of the website. How? Dynamic information are stored in a mongodb database setted up on localhost of server. So, using simple CRUD operation like insert, update and remove, the content of the website will change. In the clientside i simply do same "post" requests to the server, wich makes CRUD operations.
I need to make this system safe. Do i need https for autentication? Do you think that a simple autentication password for admin would be enougth? And what about the way i check if the passwords matches? I was thinking to store the admin password in the database (that have a password too) but maybe is unuseful. i could simply compare two strings cause the password is only one, there are no other registered users different by admin. But i'm not sure, this seems unsafe :D Any idea for the best way to do it??
I'm using node js (NO express). I have a dedicated root VPS.
https will be better, and you can just keep the salt and hash code in database instead of keeping the password directly. likely most of website have a feature to reset password not find the password, they don't keep password directly in file. when someone know the salt and hash code , they can't reverse the password.
Let's say, there is a website for an online diary. Users upload their secrets to the web server and stored in the database. Normally, a user without the password can't see the diary items. However the web admin or DB admin could still can connect to the DB and see everything.
Is there a solution to prevent this? I mean a solution for the whole web application, not only for a single user.
Client-side javascript can encrypt the content, using a key known only to the client and never sent to the server, prior to saving.
However, the server can at any time start serving up malicious JS that would send the keys back down to the server. The only way to make this impossible is to make your application an installable client-side app (via an extension or whatever - but nothing that auto-updates). Additionally, all of this paranoia is pointless unless the user can verify what the app is doing, so it would need to be open-source.
At this point you're basically writing GnuPG, so you might as well just use that.