Is there a built-in way to get the current user in NavBarComponent? This component is loaded before the user ever logins hence, so impossible to get the current user from Principal.
Found a workaround.
Attempt to get account in ngOinit and fail.
Subscribe to authenticationSuccess event and try to get account again.
Related
A strange situation that I am unable to find other people having to deal with. We are using Microsoft AspNetCore.Identity to handle our authentication. Everything is working fine.
The problem is that for a user to perform certain actions, they MUST get another user to 'sign' that action. This act of signing of course requires that other user to use their user name and password to sign the action.
The issue with this is that the other user's details are readily visible in the request payload. So if I am sneaky, I can open the developer tools in my browser (and hide it), then ask my admin to come and sign my action, and when they have gone i can go to the network tab and see their username and login in plain text!
Of course this is all over https but still, we can't allow one user to see another's sensitive information.
How are we to manage to allow a second userB to 'sign' an action for userA while in user A's active session, while removing the capacity for userA to steal userB's credentials??? Any ideas? (Front end is angular.js)
I imagine it's a big rework, but instead of having the "admin" sign the request on the user's machine, the admin could receive a "user A requires this action to be signed, proceed? [ok] [cancel]" on their account, the action would be stored in the database (perhaps temporarily?) & then all of the sensitive information is kept within each user's session with no cross over.
Then the authentication of who is permitted to approve actions can be handled in the backend via standard identity methods.
The user's "Please wait while an admin signs this action" modal (assumption) could then poll an API to determine the status of the action and then proceed once accepted.
I second #justcompile's answer if you need an authorised and authenticated user to sign/confirm the action, more work but the only secure way.
If you just need a second pair of eyes to confirm you could message a private group or slack channel that only "authorised" people have access to with a one-time URL containing a token (that maybe expires after a period of time too).
Assuming admins only access that channel they can follow the link, the app can validate the token and confirm the action.
Saves a second (admin) user logging in on their own machine and the need to build a workflow and UI etc, but again exposes you to risk if nefarious types get access to the channel or the links sent to it.
Depends on your appetite for risk I guess.
another user performs signing action on your local system? and you are sly?
there is no way to protect their password.
use two factor authentication.
The way this would normally be handled is for the user to request an action. This (unsigned) action-request is recorded in the database. The admin user is able to see this unsigned request in their account, and make an (authenticated) request to sign it. The user would be able to see the status of their request, and whether it has been signed yet.
I have one user who is logged in, at the same time ADMIN deactivate him.
As he is logged in so he can access APIs so how can i prevent him ,i am using jwt
You can get the user id from the JWT. Then, when doing an operation in the API, check if the user is banned. If the user is banned, send a response back saying the user is banned. So, he will be 'deactivated'.
https://github.com/esl/MongooseIM/issues/2235
As per the link above, there is no current way to ban/deactivate a user in the JWT Auth backend. However, if you were to delete the user, their user ID and token combination would cause for the same effect you are looking for: restricting their access to data.
In this case, I would delete the user instead of 'deactivating' them.
I am researching about Salesforce. I am read the session Control Access to Organization. I have not understand the difference between Deactivating or Freezing a User in Salesforce clearly. Anyone can help me?
In some cases, you can’t immediately deactivate an account, such as when a user is selected in a custom hierarchy field. To prevent users from logging in to your organization while you perform the steps to deactivate them, you can freeze user accounts.
If you freeze a user account, it gives you the opportunity to move the associated records, etc. to the ownership of someone else so they would be able to manage those accounts. "Freezing" only stops the user from being able to login. When you "deactivate," it frees up that salesforce license to be given to another user.
*The difference is:
Deactivate means that you dont allow that user login in your org and it frees up that salesforce license to be given to another user.
Freez just dont allow that user login in your org
You can watch this video for more detail about the difference between Deactivating or Freezing a User in Salesforce: https://www.youtube.com/watch?v=HYPB3oq_94Q
I have little problem. In my application users are auth via Azure AD and his user profil is in DocumentDB.
When Administrator delete user profile I need to force log out the deleted user.
How to do it? Delete action deleting ad and documentdb entry.
Based on the description, you want to sign-out the users after the administrator delete the users profile from documentDB.
If I understood correctly, it is more likely building a real time application that nofify the specific client when the delete action is performed. I am trying to explain it using a figure below:
And for building the real time application, we can use the SignalR. And you can refer more detail about it from links here.
And another solution for prevent the deleted users to access the proteced resrouces, you can check it before the users access the resources.
How would I retrieve all valid sessions for a specific user? For example, if the user is logged in from multiple devices and decides to change password, or reset password. I need to be able to expire all active sessions and log the user out of all devices. This is specially important if the user is suspecting that his/her account has been compromised and needs to change the password. Currently I can retrieve RMEs but not sessions. I know this is doable from the UI but I need to put this feature in an SDK or API. Is there a curl command to easily achieve this?
Sarah,
Currently there is no endpoint that will let you invalidate all user sessions.You would need the session token of each session and then call the /json/sessions/?_action=logout REST endpoint multiple times (once per session).
That being said you can use the following class to get the list of sessions for a particular user:
com.iplanet.dpro.session.service.SessionCount
You can read the javadoc here.
There are some constraints for using this method though. Session Quota must be enabled. You can enable Session Quota on the admin console by going to Configuration -> Global -> Session page and:
Set the number of "Active User Sessions"
Turn on "Enable Quota Constraints"
To sum up, you can create your own custom endpoint that will take the User ID and invoke SessionCount.getAllSessionsByUUID(uuid) to get the list of active sessions. After that, you can iterate through the list of sessions and invalidate them one by one.
Hope this answers your question.