I'm trying to find the best way to implement authorization. At this time, only thing I need is a simple free account, but later I may include user roles for a "premium" account using a payment system like stripe.
I have already started reading and experimenting with Auth0 but then found some other ways I can do it.
Passport.js + MongoDB, I've seen some examples and work great but I think it is missing a way to control users, rules etc with a friendly panel (like Auth0)
Using Auth0 and setting up a custom database (mongoDB). Also seems to be behind a paywall.
Also found a way to use both Auth0 for authentication and Mongoose for a MongoDB database. In this one, everything is saved in mongoDB except passwords. It's also the only setup that deleting a user from Auth0 is not affecting the MongoDB (which is bad I guess).
So, some questions are
which method you think is better?
What is the difference between 2 and 3,
Is there a way to implement rules in passport (e.g. redirect new users on first login)
If I implement Passport with MongoDB, and my database has hundreds of users, how can I manage them?
A bit of a chaos question but any help would be helpful
The best authorization strategy depends of the scope of your applications in a short or long term.
Monolithic or simple web with Private login
For example, if you will have just a simple(MERN) web with a one simple backend (api rest) or a monolithic application like this mern example with an internal or private login in your organization, your authorization strategy could be as simple as :
(1*) /login express route which receive user/password, validate them in database and returns the clasic jwt token and an array of options (react routes) to which the user should have access
web app (react) must render pages whose routes match with the received routes
web app must send the received token to any api rest endpoint invocation
when api receive the invocation from react web, must validate the existence of token as a header. If not exist, must return a 403 error.
(2*) If token exist, must try to validate it (well-formed, not expired, correct signature, etc).
(3*)If its is a valid token, you must perform a last validation: Is user with "guest" role allowed to execute a DELETE to an endpoint /user/100.
(4*) Classic solution is to have some tables in your database like: user, roles, user_roles, role_permission, permission_option. Option table must have registered all your api endpoints and its method. Also this could be used to create the relation between user <:> web routes. Check this
Modern requirements
Modern and large organizations require:
Social Network Logins
Internal/External Users
Not interactive logins (robots, schedulers, etc)
Several web apps
Several Mobile apps
A lot of Api Rest
For this case, MERN app is not a good choice because is ALL-IN-ONE. Common strategy to implement the previous requirements is to have several artifacts deployed in several servers:
web app (react, vue, angular, linkstart, etc)
apis rest (nodejs + expres, java, python, etc)
authentication/authorization: oauth2 platform/provider, Identity/Access Platforms, etc
If this is your case, you must split your MERN app into several deployable artifacts: web, api and security.
Oauth2
No matter if you are concern just for login or how ensure the authentication and authorization for your webs, apis and maybe your mobile apps, you will need : OAUTH2
You could develop your own security platform taking into consideration (1*), (2*), (3*) y (4*) or use something like:
auth0
keycloack, etc
More details here: https://stackoverflow.com/a/62049409
Your questions
which method you think is better?
I think if you will use auth0, you will save time and effort. With auth0 you just need a simple express app, with some endpoints like /login, /callback, etc. Or if you use auth0 + passport.js, these endpoints are managed by passport.js
I advice you , review how OAUTH2 flow works before to use auth0 with/without passport. This link helped me a lot.
What is the difference between 2 and 3,
As I read, auth0 and another platforms offer a user management service or it can connect to your users service (AD/LDAP, database, api, etc). So
Is there a way to implement rules in passport (e.g. redirect new users on first login)
Yes. You can add some logic when callback is redirected in your nodejs with or without passport.
If I implement Passport with MongoDB, and my database has hundreds of users, how can I manage them?
Nowadays database support a lot of rows. So for your production database try to optimize or monitor it. Another option is to hire a database administrator to perform these tasks.
References
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
https://auth0.com/user-management
https://stackoverflow.com/a/62049409
https://fiware-tutorials.readthedocs.io/en/latest/roles-permissions/index.html
https://dba.stackexchange.com/questions/36935/best-relational-database-structure-for-this-data
https://www.mind-it.info/2010/01/09/nist-rbac-data-model/
Managing single sign on using passportjs for my own web applications - sharing login
https://aws.amazon.com/blogs/apn/how-to-integrate-rest-apis-with-single-page-apps-and-secure-them-using-auth0-part-1/
Facebook OAuth security using passport-facebook
Asynchronous Django, Ajax, Jquery Information
relational models
I am building a REST API in node.js which needs to use Flutter and a React web app as their clients. The problem I'm facing is that I'm not sure where to handle the authorization. Both Flutter and React have a prebuilt "UI" from Firebase that doesen't even need to be connected to the backend. But also there is an option to just take the password and email from the forms and send them to my API which sends them to Firebase via a post request. The flow should be this, a user signs up with Firebase and is created, while that is happening he is also being "signed" up on my API so I can append and store data in his account.
I only need Firebase as an authorization layer, I feel that at this point in time I can't build anything comparable in terms of security when it comes to the authorization.
If you want to work with Firebase Authentication accounts on your backend, then you will need to use the Firebase Admin SDK to manage users. In particular, what you need to do is have the client app send the ID token provided by the SDK and verify the token so your backend can do things on the user's behalf.
I would recommend you to avoid implementing integration with Firebase in the client side, and do it only in the server side. You can use Firebase-Admin to integrate with Firebase in your node.js server. Then, the sign up/in request will be via your API.
In this way, your clients don't depend on 3rd party and all of the library updates should be in your server.
I'm testing the Intuit OAuth2.0-demo for nodejs. link
The demo uses the node-quickbooks package within an Express server. The demo works fine but I have a question more about the general flow "best-practice" for a multi user setup.
For example:
You have your own web application that supports many users. The users login to your web application and decide to grant your web application access to Quickbooks.
How would i properly handle multiple users?
Currently, when I authorize the oAuth connection between the web app "demo" and Quickbooks the auth token is stored server-side.
The Express session is not unique to the specific logged in user on the demo web app. When I connect from different devices to my local demo web app they are all using the previously server-side stored auth token.
What is best practice for multiple users?
The demo provided from Intuit was extremely helpful but it did not provide any additional code in the boilerplate for maintaining multiple users and properly storing the access_token / refresh_token / realmId inside a storage (such as Mongo). I ended up merging this demo project with a boilerplate Passport local strategy that uses mongo. I updated the mongoose model to store the Quickbooks Online tokens. This way when the user logs into my webapp via Passport we can just pull the tokens that are associated to there user account inside mongo.
I will probably make a repo for this since I think it can be helpful to others. For now, if anyone ends up finding this thread and has any questions feel free to send a message.
Regards
I'm developing my first app with firebase auth and Google App Engine, and I'm wondering how should I do some things.
For example: My architecture will be in Google App engine, and I'm using Cloud SQL to store data (using sequelize). The app is developed with node.js and express.
The problem is I want to use firebase auth to make login easier.
Everything for that is done client-side so.... is there any example on how should I use firebase Auth and how should I authenticate my request to my API in order to get which user it is on every request?
Maybe forward the token to the API? and then getting the info?
Thanks for your help.
There are definitely examples of this. What you'll want to do is look at the documentation for the Firebase Admin SDK, which is the SDK that you can run on trusted environments (such as App Engine) to perform actions that require administrative access.
In a typica scenario you'll use the Firebase Authentication SDK to sign the user in in the app, and then pass the ID token to your App Engine back-end. There you'll validate and verify the token, and then perform whatever actions the user is authorized to perform according to your rules.
If you'd be using a Firebase database (either Realtime Database or Cloud Firestore) you would be able to pass the token along and enforce authorized access in Firebase's server-side security rules. But since you're using Cloud SQL (which isn't aware of Firebase), you'll need to enforce your authorization rules in your own App Engine code.
I want to create chat application using Firebase. I have the backend done in micro-services.
I also built an authentication API micro-service that allow the user to login/register and other. That service is built in Node.js and Mongodb using JWT tokens.
I am not that familiar with Firebase, all I know that you can you their auth/authorization service.
Will it be alright to use that micro-service in Firebase?
You can use the Firebase Admin SDK to mint a token that Firebase Authentication can then use to authenticate your user.
See the Firebase documentation on minting custom tokens for an example.