lets say for example i have my website like that:
http://whatever.herokuapp.com/
and i don't want anyone to view it until he enter a password on the URL like that.
http://whatever.herokuapp.com/pw=1231fd1ffs
i am using angular for this project and i am connecting to some apis.
how i can do something like this.
this is what i am looking to do.
Do a GET request and give it the parameter as:
http://whatever.herokuapp.com/?pw=1231fd1ffs
Then, on server side you should check if the password is, in fact, correct and if it is just return the new web.
However, this is not really advisable. Anyone could access if they have the full link with the password. Instead of this you should do a form with a POST request asking for the password. Or even better, a users db so everyone would have his own password and third persons will not be allowed to log in.
After POST request just return the full web the same way you would do it with a GET
Related
I have a web application (let's just refer to its address as 'xyz.com' for security purposes) that I want to be accessible only to users of a WordPress website. In the WP site, the logged in user can click a button that opens 'xyz.com' in a seperate tab. xyz.com is a Node.js application, created via MeteorJS, so it has both a client side and script and a server side script, but no PHP.
I want to make it so that accessing xyz.com will be denied, or at least limited, if the user directly goes to it without first logging in through the Wordpress site and accessing it via the button. I'm trying to figure out a relatively secure way to do this. I would also like to be able to distinguish between each username, as this is needed for a feature in the application.
The method I was considering is to place the button in a form that gets the current logged in Username, then send the username through $_POST data when you click the link, which then checks to see if there is a username in the $_POST data (via XMLHttpRequest or something similar), and what the name is.
However, I'm not sure how secure that would be, as the code is mostly client side, meaning couldn't someone look at the code and determine that they simply need to send a username through a $_POST data form? Is there a way to authenticate that the data is coming from the Wordpress site? Am I just overthinking this and this is an unlikely scenario for a simple website to be attacked like such?
I'm trying to implement a GET method with Express in my nodeJs application.
I'd like to do something like this in order to display user data :
router.get("/user/:idUser", (req, res) => {
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
How could I proceed ? I thought about using some encryption process to have something like :
/user/PdfgdfJFDGTfrfgdsf
Your question isn't really making sense. You don't want authentication, but you only want a user to be able to view their own data so nobody else can view it.
The ONLY way to solve that is by using some form of authentication. The user has to prove to the server that they are allowed to view that data before the user renders the page for them.
Yes, you could obscure the URL (make it some mostly unguessable string of characters), but it's not clear what problem that is solving. The user themselves won't be able to remember it or type it so it would probably have to be a link in a web page and if it's a link in an unauthenticated web page, then anyone can get to it - thus defeating the purpose.
There are cases where temporary links (often done for privileged downloads) such as what you mention /user/PdfgdfJFDGTfrfgdsf are sent via an authenticated channel (either an authenticated webpage or sent to an email address known to belong to an authenticated user) and these links contain some unique and hard to guess code. The user can then click on that link (in authenticated webpage or in email) and access that resource without further authentication. In that case, the knowledge of the code in the URL is serving as a form of proof of authentication. Because URLs may be logged in service providers or corporate infrastructure and thus not remain entirely private, this technique has its limitations and is typically only used for short term (download this resource in the next 10 minutes) type of uses, not a long term substitute for authentication and not used for things that demand real security. You don't explain enough of your use case to know whether this is practical for your situation or not.
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
That's an inconsistent statement. You say "user doesn't need to be authenticated in order to execute this code" and then you say "I don't want that anybody can execute this request with a user id of someone else.". You can't have both. The user is either required to prove authorization or they aren't. Pick one. It can't be both.
you can use jwt for this and a auth middleware for this
upon decoding jwt token, you can implement logic to check if the decodedToken.user_id (given that you add user_id when encode token payload) is equal to the :idUser in route (or any kind of logic you want) there.
I've spent the better part of the day trying to figure out how OpenID works. My goal is to set up a simple site where, upon clicking a login button, users are taken to a Steam login-page, where they are prompted for username and password. After successfully logging in, the user is redirected to a page on my domain, where I collect the query string parameters. They look like this:
{
"openid.ns": "http://specs.openid.net/auth/2.0",
"openid.mode": "id_res",
"openid.op_endpoint": "https://steamcommunity.com/openid/login",
"openid.claimed_id": "https://steamcommunity.com/openid/id/7656119[0000000000]",
"openid.identity": "https://steamcommunity.com/openid/id/7656119[0000000000]",
"openid.return_to": "http://127.0.0.1:8000/resolve",
"openid.response_nonce": "2018-12-01T14:49:46Z30hhn2/[someTEXTendingIN=]",
"openid.assoc_handle": "1234567890",
"openid.signed": "signed,op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle",
"openid.sig": "[someTEXTandNUMBERSendingIN=]"
}
What I am unable to solve though, is the actual authentication issue. I'm not sure what to do with this data. I want to have my own database where I store more information about the user, such as friends, messages, currency etc. For this, it is very important that I can verify that someone didn't just take this request body, change their ID for another and in that way access their account.
I'm pretty sure these are the relevant pieces of documentation, but it still isn't clear to me. How am I supposed to authenticate the user with this data?
I've omitted some values in this post that I fear could be bad to share. These placeholders have been outlined with brackets []. Also, that assoc_handle is really 1234567890, which kind of puts me off, since according to the OpenID documentation, it is used for determining the signature.
To be clear: this page where credentials are collected is not run by me, but is the official OpenID sign-in page for Steam. Steam is a gaming platform. https://steamcommunity.com/dev/ for reference.
For Steam authentication in nodejs you can use Passport.
Passport is an authentication library that works best with Express-based web application.
There is a steam-strategy that can handle your steam authentication.
Check passport here
And this is the Repository for Steam strategy. There is an example folder that you can see how to setup your Steam authentication.
I am developing a social network and I would like to know if in the profile page of a user I could put the user id stored in database as a parameter in the url or is it a bad idea in terms of security?
I want the url to be bookmarkable. Should I put another thing instead of the user id?
In terms of security there's no problem in putting the user id in a url. For example StackOverflow does it already: https://stackoverflow.com/users/3477044/aliuk
What's important is to verify that the currently authenticated user is allowed to access this url and take actions on its behalf.
most socialnetwork i've been using, use username as url not id, of course it also affects seo, since u have "pretty url".
Security is really depend on how you write your code, say there is a page to edit-profile, if you put on your code something like:
UPDATE .. SET .. WHERE id = $_GET['id']
no question it's dangerous, you should check every user action, like posting/editing profile, etc. who is login, not what's the id on current url
It is secure if you secure your website against sql injection.
But if breach happens all users are vunerable. Only thing that hacker needs to do is find the user profile get his id. Copy output of sql injection. Go to text editor. Press ctrl - f and search for user id.
I want to set up a way for my server to grab all of my instagram photos and put them on a website. I'm trying to use this lib https://github.com/mckelvey/instagram-node-lib.
It says I need to auth as the user (myself) to get the photo feed. Can I do this in an automated way from the server? I don't want visitors to my site to have to login...
I just can't figure out how to get my own feed for an anonymous user on my site. I don't want to deal with redirects and urls, I just want to get my own feed server-side.
Thanks!
How to setup instagram-node-lib (for a personal site)
http://instagram.com/developer/ - Fill out the info, both the URLs can just be yourdomain.com
You should get a Client ID / Client Secret!
You’ll also need your user id (which is not your username) and an access_token (basically the idea is that you have to prove you are a particular person in case the user you are trying to get photos for is viewable).
Now, since I’m guessing you get all fuzzy when people start talking about OAuth stuff (me too) here’s a lame way to grab a access_token:
http://instafeedjs.com
Just search the page for a “click here” link, you’ll walk through the OAuth process for this tiny bit of JS and the page will come back with your access_token.
Now, for a small bit of code to prove what we did just worked:
Instagram = require('instagram-node-lib');
Instagram.set('client_id', '*******');
Instagram.set('client_secret', '*******');
Instagram.set('access_token', '*******');
console.log(Instagram.users.recent({ user_id: ******* })); // Notice the distinct lack of quotes around the user_Id
HIGHFIVE!