I followed this tutorial :
http://blog.cendekiapp.com/2015/04/02/add-authentication-in-sailsjs-api/
and when I want to run the app, it works fine when I run :
sails lift
But, if I try and hit endpoints via a rest client... it will return me data, without any kind of login being necessary...
I notice the comments, and people are having the same issue - my code is IDENTICAL to the one in the example, and is even built on top of the tutorial from part one (before the auth tutorial)
if I hit http://localhost:1337/user - it will return me all users, I am sure it needs to be checking for a token, which I would get via checking if I have one to submit, or go get one from the login controller, but I am not sure what I need to do. Anyone have any ideas? Or know straight up what is missing?
Related
I am randomly getting a login prompt asking me to log in to localhost:3000 while working on my project (in localhost). Sometimes it does not show up the whole day and next morning I get 10 prompts in a row (canceling through pressing escape), and then it starts working properly again.
These are the errors I get in the console when it has been canceled:
I suspect one of the following, but really I have no idea:
Webpack is not configured correctly
There is some resource that requires authentication (but I can't figure out which), I am running everything on localhost
There is something wrong with the node.js server thingy...
Any tips on what might be going on are very welcome.
Edit: My backend is mocked in localhost.
Edit 2: I found this: Receiving login prompt using integrated windows authentication and it is possible that the thing that is causing the error is some faulty configuration in my IIS. But it is difficult to verify since it only shows up randomly.
Webpack has nothing to do with your API calls.
401 errors are due to auth credentials failing.
It means that your backend ask you to update your token(s) used for auth in API calls.
I am trying to get Facebook login working with loopback using their loopback-component-passport plugin.
I have configured app details in providers.json and now if I visit http://localhost:3000/auth/facebook I am redirected to facebook and can successfully login. However, when I get redirected back (to /auth/facebook/callback) I get the following error --
ValidationError
422 The 'ApplicationCredential' instance is not valid. Details:providercan't be blank (value: undefined).
I can't make sense of this error because the providers file is where the fb app and paths etc are configured and they are definitely working.
The plugin is poorly documented so I am out of ideas at this point.
I have figured out the cause for this error. I had initiated my loopback project as a blank project. However for loopback-component-passport to work it requires User, AccessToken, ACL models to be available. These are inbuilt in loopback and can be manually added to model-config.json. Or, you can initialize the project with user authentication and it should work.
This was one of many roadblocks that I ran into due to my lack of knowledge in the area and Loopback's poor documentation for the plugin. The Tutorial section in the docs and the example github project it links to are completely out of date.
My ArangoDB server contains a database (mydb) with a collection (thiscol) and in the collection sits a bit of data. I can login with a user Thijs and look around using the web interface.
I cannot have user Thijs use the REST API, I have tried setting the password, granting access, restarting and making a new user.
The REST interface always returns 401 Unauthorized. I have obviously quadrupple checked the password.
If I use the user root it all works fine.
And I rather not start with Foxx services at this point because it seems to be an enormous amount of work to implement a REST service that allready exists but is not 'available'.
So is the REST API only implemented for a single hard-coded username or am I missing something here..
REST call example: http://localhost:8529/_api/collection
per request
failing GET
Ah, you need to specify the database to use in the URL, without specifying a database it will default to _system. Try localhost:8529/_db/vbo/_api/collection see this documentation page for more info.
Glad to help get it resolved.
I'm trying to create a script to generate Spotify playlists with Node (using the spotify-web-api-node module), and I'm having problems getting authentication. I'm terrible with OAuth, so bear with me through this question.
If I understand correctly, I need to use the authorization code flow to get an access token, and to do it that way, I would need to visit a webpage to get the code. So my question is, is there any way to get the code without having to actually visit the webpage?
I tried using request to see if it would show a redirect, but it just shows me a website from Spotify. If I have to manually allow access to an account the first time, that's fine. I'm just trying to have to take away as much repetition as I can. Also, I'm trying to have this be specific to one account, if it could make a difference.
I'm making a REST backend for private use of our frontend, they will both be in the same server.
The problem is that I'm worried about security issues, I don't want a attacker to use the API directly, either by JS or by using other REST client.
Lets take this service as an example
http://myserver:8080/something/webresources/film
That's a service that allows to GET, PUT, POST, DELETE I want that only the frontend be able to use it, otherwise since anyone can see client-code it would be easy to get the endpoint and start putting or getting data. I do have BASIC AUTH so they would have to register and if they did something wrong I would be able to see who did it, but that doesn't solve the problem.
I could implement access control so that a user only could get/update/delete their own movies, but I would have to do that for every REST service(I have over 100 by now), plus I might need to actually get others movies
This is my first public project, I am really lost.
You can do it through your web server. I'm using Nginx. I have an if statement that checks the $http_referer. If it returns nothing, or the value returned is not my application/frontend page (meaning someone is trying to hit the api directly), it'll return a 403 forbidden page.
If your application doesn't send out emails to your users don't worry about the following: I added a block to allow access to my static images as the only exception, as my application sends out emails with images and I don't want them to break.
That's it. Problem solved. No one has access to my api except my frontend page/application, unless they can forge the $http_referer to match my domain which if they can do that then they deserve to break in.
Your only option to call the REST API from server side. You cannot hide from the users what's going on in their browser... You can have a layered application, so the frontend layer can call the backend layer on the server while the client can see only the frontend. (Check the layered system constraint.)