For example authorization form has login and password, I want create equivalent form in Telegram.
Q: /signin
A: Enter your login
Q: Somelogin
A: Enter you password
Q: Somepassword
A: Authorization success!
But how I can save incoming data from user? Is any API for it or maybe I must save input data in temporarily database field? (as chat_id, command, session_expire, command_state, command_tmp_data)
You should use OAuth or redirect users to auth form on your website (and redirect them back after authorization). Send user's auth data in text messages and ask them for it is big evil.
Answering your question: You have to save the session (conversation) state like you proposed; the API doesn't provide you with means to "ask" a user a question.
BUT
user3449979 is right, and you shouldn't ask for user auth data using plain text; you should use deep linkin together with OAuth or another server-side based authentication method
Related
I'm building a small web application using node.js and react.js which require user login.
How to send the confidential information like username and password in get request?
If you absolutely need to use GET you can add the info in the query string:
get('https://example.com/login?username=XXX&password=XXX');
But this is highly discouraged. Even though the query string is encrypted when using https, this is bad design to use to transport highly sensitive such as password. Some reasons here.
A better way would be to use a POST request.
you don't send data in get request, use post method to send data.
I was building my chat app and i prepared the login page to authenticate the user logging into the application not the question if what should i do with it, I used POST method to get the credentials and compared it with the database, now how should i send this to the front end page so as to make user logg in and send message by the username they have logged in.
i do not want a piece of code but rather I'd like to have a suggestion on what should i do next and what should i do next, if i just send the plain username into the frontend then i am afraid that users can change its value and pretend that they are someone else.
You don't send it to the frontend page. You never send password or any other sensitive information to the clientside/frontend/browser
The flow is roughly like this.
Frontend has a login form that posts to the server
Server gets the username and password
Server authenticates and creates a session
Frontend gets information that this user is now logged in.
Every action this user takes has to be check on the server side.
You can also check my answer on similar thougt:
VueJS Secure with Auth0 - How is it secure?
Where the author asks:
If I set some variable like isLoggedIn = true or isAdminUser = true,
what stops the user from manipulating the DOM and forcing these values
to true?
The short answer is nothing. You don't do any authentication on the client side. Its ok to have some variables like isLoggedIn or isAdminUser to make the interface make sense but the server code should always to the actual authentication or authorization.
I am studying about hashing/encrypting databases, but i have a question:
Lets suppose a app, what you can create a account, and save notes in your account, like Evernote. When you login, your password will be compared with the saved password (Bcrypt), and if your password is correct, you can login.
But, how we can encrypt/hashing the notes? because notes will be catched with a GET or a POST what will only have a Authorization header, how can i encrypt/hashing the notes table, and decode this data? And what algorithm do what i want?
OBS: I am using Node.JS for Backend.
Sorry if this question seems dumb.
i am just a beginning, with node/express and i kinda have a problem.
i have built a todo application using, node js express and mongo db which actually has an login/register form...i.e, u get to register and login (/register) and(/login) before you can get access to the todo application(/todoapp).
My problem is, if user A logs in with his email and password, inputs some todos and logout, later on user B also get to login with his own different email and password, he gets to see the todos of user A.
but then i want it to be different, user A should be able to see just his own todo, user B should also be able to see just his own todos, please how do i do that?
Please my algorithm is below
-user registers (/register)
-user gets redirected to (/login)
***successfully logins and gets to (/todos)
this works perfectly and sends all logged in users to the same (/todo)
Generally you need to store the user _id in a session or a cookie (in the client side) when the user login successfully, then when the user make get/post request first you check if the _id in his seesion/cookie match to the _id in the db and sending back to the user only the items with his _id (items that belong to the user).
you can register a session when the user logs in but keep in mind you must to protect against csrf.
You can also use JWT for this.
I will suggest you to find good tutorial for JWT or authorisation with session and csrf protect.
Its a big subject and its better to watch a good video or read a good article than copy paste code from here.
I was wondering, what is the point of CSRF protection ? I mean, generating tokens and putting the hidden field with token into the form and then after the POST is done, to control the two tokens. I was testing my webpage and the whole thing I did to get around it - I had just copied the entire generated form (html source code) and changed the form action attribute. Aren't web bots doing something similar or I just don't understand something ? How to make an efficient CSRF protection ?
P.S I'm using Kohana (Security::token and Security::check)
Thank you!
From Wikipedia:
The attack works by including a link or script in a page that accesses
a site to which the user is known (or is supposed) to have been
authenticated. For example, one user, Bob, might be browsing a chat
forum where another user, Fred, has posted a message. Suppose that
Fred has crafted an HTML image element that references an action on
Bob's bank's website (rather than an image file), e.g.,
<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=Fred">
If Bob's bank keeps his authentication information in a cookie, and if
the cookie hasn't expired, then the attempt by Bob's browser to load
the image will submit the withdrawal form with his cookie, thus
authorizing a transaction without Bob's approval.
By generating and including random token in your form, you can avoid this kind of attack by checking if the posted token matches the generated one (usually stored in user session).
Kohana docs say clearly how one should do it:
You can insert this token into your forms as a hidden field:
echo Form::hidden('csrf', Security::token());
And then check it when using Validation:
$array->rules('csrf', array(
'not_empty' => NULL,
'Security::check' => NULL,
));
There is already some built-in helpers for generating a security token and using it on a form. One can generate the token, insert it into a hidden field, and then use a Validator to validate against the Security helper class.
See docs: http://kohanaframework.org/3.0/guide/api/Security#token