I'm developing a web app using Angular2 and Scala. And instead of using any big frameworks like Spring security that does everything for you, I'm thinking using just some libraries and write the system myself.
I plan to use JWT libraries to authenticate requests. Use hashing libraries to encrypt password storage in db.
What other things do I need to consider to make my system secure? I think I also need to think about CSRF and XSS? What else?
Thanks a lot!!!
Related
I find myself in need of a Oauth2 library for node.js. Could someone share their opinion on which library is best and most simple to use or can I perform the request without a library? I need it to perform a single request.
passport.js has good documentation and supports most common providers.
I'm an experienced Ruby (Sinatra, Event Machine, Warden, etc) developer and have decided to teach myself Node.js
I've written enough Node now to feel very comfortable with it, and now I'm feeling a bit more ambitious. I would like to wire a simple Sails.js app and a forum built with NodeBB together such that my users can sign into one and be automatically signed in to the other.
I'd like those users to have role-based authentication for access to various parts of the Sails app and also of the forum, so they'd need to share a common RBAC model.
Is Passport suitable for this? And if so, do you have any links to examples?
To persist sessions across requests, Passport relies on Connect, which in turn relies on encrypted cookies containing a connect session id. To use the same sessions across multiple applications, you will need to synchronize your Express / Connect cookie parser and synchronize or share your sessions and user models. You would need to use an external session store (like Redis or Mongo) and probably separate your user database from the individual application databases. Additionally, you would need to copy and paste the cookie parser secret into each application.
It's not really the best approach, though. The maker of Passport also published an open-source OAuth2 Server, which you can use (in combination with Passport's OAuth 2 authentication support) to provide authentication for all the applications you want to tie together. This is a much more robust and scalable solution to your problem, as you won't have to worry about synchronizing secrets and sharing databases. Additionally, it would allow you to write any kind of application you want (not necessarily in node) and still implement shared single sign on.
(If that still sounds like more effort than it's worth, you can always just use an external identity provider. Google-account based OpenID requires no setup, integrates seamlessly with Passport, and lets Google do all the work.)
Is there any point using Passport for Node when there are no plans to integrate external API's like Facebook and Twitter?
I'm looking at arguments for implementing any of the so-called 'strategies' for a generic authentication system in my own application. Or is the only point of Passport to utilise specific authentication strategies from other API's?
Is there even a strategy that acts as a placeholder for future API integration if one was later required?
Is there even a strategy that acts as a placeholder for future API integration if one was later required?
Yes, there is passport-local.
Is there any point using Passport for Node when there are no plans to integrate external API's?
IMHO if you don't need it, leave it out. YAGNI. Fewer dependencies is a good thing. When you need it, it is simple enough to add. I also think social login is/was largely a fad that was pseudo-required at one point but these days many people are over it.
We have a grails application in the wild. We'd like to give users using current browsers a better experience and provide some auto-updating of pieces of the site. Looking into all the options and specifically with Grails, I'm not impressed.
I really want to use WebSockets and from the investigating I've done up to this point I believe our best option is Node.js. But obviously we can't redo our application. I like Grails.
So my idea is that we use Node.js along side Grails to basically act as a READ-ONLY proxy between the client and the data. All the Node.js application will do is pull data from the database and deliver it to the client over WebSockets.
Does that sound like a valid approach? Is this something anyone else has done?
Certainly sounds reasonable; I'd suggest using socket.io to implement your transport (it will use WebSockets if the browser supports them; otherwise it will transparently use various fallback mechanisms). You might want to use a reverse proxy like nginx to avoid any cross-origin problems, though socket.io is fairly good at avoiding them.
Node is very much about letting you use the right tool for the right part of the job, rather than being a Golden Hammer.
We aren't using websockets, but we have an Angular app that talks to the grails via REST calls, which we expose using controllers.
I need to implement everyauth with node.js Connect (not Express), very securely.
Despite the site provides some code samples for Connect, I'm not familiar with how node-Connect-session-middleware handles session.
Can someone please introduce some good simple examples to get start with?
PS. I found the official sample of Connect, but need a full working example.
http://www.senchalabs.org/connect/session.html
I suggest you check out Passport (which I developed). everyauth tends to make assumptions that Express is present, making integration into Connect-only apps difficult.
I developed Passport after wanting something more modular and easier to integrate. It makes no assumptions, and is just simple middleware, so it drops in easily into Connect-based apps.
Express.js is actually a thin layer on top of Connect. So you could just use that as a reference and see how they do it.