I have a button on my website.
When a user clicks that button I want to get the users id.
I know I can do req.session.passport.user and it will get the id of the user that is currently logged in.
But what if there are multiple users logged in. How does it know which user clicked the button?
Does req.session.passport.user hold all the current users that are logged in?
Does req.session.passport.user hold all the current users that are
logged in?
No, only about the user making the request. How PassportJS can get information about the user is from the cookies, request headers, body, etc, which compose the session.
So req (from Express, Restify, etc.), which is short for request, contains information only about the user making the request to the server. Note the singular user in req.session.passport.user. It doesn't have any information about the rest of the users that are browsing your website.
Related
Noob here working on first backend project.
What I’m trying to do...
Collect member data via my form (name, email)
User clicks paypal button to pay for membership
When payment approved by paypal, send post request with form data to my members endpoint to add new member
I now realize if I use postman to post to my members endpoint it works. So a malicious user could post data to my members endpoint regardless of paypals payment approval.
My understanding so far is that if my server allows CORS and I don’t password verify the user, anyone can post to that endpoint.
Is it possible to allow post requests only after payment approval without the use of a password?
I’m thinking of online stores that let you checkout without a password. How do they post the collected form data to their db without jeopardizing their post route?
Hope this wasn’t too vague. Pointers would be greatly appreciated!
I’m using node/express, but since it’s a general question I assume it doesn’t really matter..
These answers helped but still didn’t get me there.
Protecting post routes NodeJS
Can I only accept traffic from certain requesting domains with Expressjs?
So post / get request in general are functions of the browser and or server, I can create a simple html form and post to any URL I want to.. Now the question is, will it accept it or not.
When communicating between servers and web-services unless open to the public will use token based authentication to validate the request. So in terms of paypal, the typical flow would be.
(note, very oversimplification below and is just a sample of one such pattern)
User clicks paypal button from your site ( this will contain some type of paypal ID of sorts )
User is directed to paypal and after completing the transaction paypal redirects users back to your server with a token
your server reads the token ( sends API call to paypal with token to verify its valid, if success then process the post )
You can't prevent a user from posting data to a URL, however you can tell the server what to do if they do. So protecting your route from unauthorized post can be handled by sessions, tokens etc. For example, if you have a route on your server, lets call it user profile. This route first executes a check for the session, if its there keep processing, if its not, redirect the user.. Its really no different for callbacks / token auth.
Essentially, you will need to handle what the server does in your code because anyone can post to the endpoint.
To your other question about how companies handle guest checkouts, this can be done a few ways but one way is to create your own token, this token would be an encrypted string that may contain a cart ID, time etc.
When a user clicks 'checkout' the token is generated and passed to the server via a get or post request. From there your server decodes the token and if everything is correct processes the order otherwise it kicks it back.
Again, you see a lot of token based stuff here going on and that because there is an X factor in all of this.. the user.. We know who the server is but the user can be from anywhere and the user isn't a server so we need some way to maintain state between servers, hence tokens, encryption, JWT etc
I have embedded an iframe in the source code of each person added to my People plugin
I am looking for a way to conditionally render a button based on who the logged-in user is. If the email of the logged-in user matches the email in the iframe's param then the button ('Click here to update Profile') should appear. Otherwise, it is not on the page when the logged-in user views other people.
Buildfire People Plugin
I looked through the public api docs and tried using the /auth/verify_credentials but this is for logging in, this will not return the email of the logged-in user.
I know buildfire SDK has a buildfire.auth.getCurrentUser(callback) function that can be used. I need the callback to send that info to another application.
The app that I created is deployed on netlify and the backend is deployed on heroku.
I have one Node.js app and database is MSSQL. I have implement the basic functionality like register, login and others like adding users. The authentication of the api is using JWT, so when a user login, he will receive a token saved on the cookie, just like normal app.
I'm going to add a new survey functionality to the app. With the survey, it does not require user login and does not ask to create a new user account, but only the person receive the invitation link can visit. What I current save on the survey main table is the email address and person name going to receive the survey and one auto generated UUID. The survey link may be /survey/UUID.
How should I do it and how to secure the survey form?
What I was thinking is to create a new token for each survey use only and attchecd with the invitation link, and then validate that token. But because it does not ask the login, I cannot validate the token with email. Should I need a Recaptcha only? Or I need to the login here, or at least need to the user confirm his email address so the token can be verify?
You could use id (primary key) AUTO increment on the main table, and 10-15 char as password. you generate token based on your format such as url/id+password. Id is always unique so its guarantee that each user will have their own token.
Our Use case is Anyone can create a site in our platform bit as Wix lets say. Each Site has its own Community & Chat.
So I used my appId, secret key to create the user session token for the user of the site1 says site-1-user-1 for displaying the community of site1.
I used react-activity-feed components to display the timeline feed of user site-1-user-1 (timeline:site-1-user-1)
I also displayed status update from above the activity feeds using react component. So when I post in this status update form, the activity gets displayed as by site-1-user-1.
How do I post activity as a different user say site-1-user-2 using the same token? I want the timeline feed with status update form to be displayed as a discussion forum where any logged in user can post any topic and see other activities also.
I am able to do this using PHP and getStream SDK.
How is it possible by using the react component?
Stream restricts actions user is able to perform when using client-side tokens:
User is able to read any feed
User is able to make feeds with her user-id follow any feed
User is able to post to feeds with her user-id
Client side tokens can only be used to perform the actions as the user the token was created for.
If you need to be able to impersonate other users or post contents for users to feeds they have no access to you will have to user server-side stream api
I want to understand how to integrate auth of Google or Facebook with my database.
I have a login system with email and password, users table and messages table for that represent messages of users.
When someone registers, a new user with userID is created.
When a user login to the system with email and password he gets an auth token,
and for each action the user makes, like POST or GET requests for fetching or creating a new message, he sends the token he got and the system finds the userID by this token, and then finds his own messages.
Now I want to add Google and Facebook login, how should I do it now?
I can get from each of them a token. but the user isn't actually exists in my user table, so when I search the user by his token, I won't get anything, because he is not exists in the user table, and when I want to insert him to this table, I need to fill the password field there but I can't get it from google.
What should be the approach to do thing like this?
Thank you.
When they first login, you can request their email from Facebook or google, the user will give your application access to see their email address.
At this point you could create a new user with that email and add a flag to say they came from facebook/google.
The rest works as normal, they would get a token from your application and so on.
In case they come back and login again, you don't need to register them as they are already in your database.
In case you need extra info from them, (more then just the info you can request from facebook/google) you could redirect them to a special form, for their first login.