I had a question regarding best practice when it comes to building a global utility class in EmberJS when the class will exhibit user-specific behavior.
The following conditions are all true:
The class's methods could be accessed from anywhere in the entire application.
The application performs JSON based authentication using Ember-Simple-Auth.
The authentication confirmation payload comes with some information about the user.
The information received in the token payload will determine the behavior of the utility class's function.
My Questions
Is a Util the best option?
Should I be using services and somehow "initialize" this service on a confirmed authentication? My end goal is to use this class from almost every route/template/component in my application.
How chill are authentication payloads? Is it OK to send crumbs of user specific information information in the authentication payload in addition to any tokens?
The best choice is using services.
They are :
singleton
could be injected to any object extended from Ember.Object
Is a Util the best option?
No. Services is best option. You can initialize it after successful authentication hook of ESA. And it could be injected everywhere
How chill are authentication payloads?
You can send anything. Your authenticator is responsible to process it. The payload is saved in data.authenticated object in ESA session service
Related
I'm giving NestJS a try and am pretty happy with the results so far. Right now I'm struggling with some concepts that aren't clear enough in my head.
My API has an authorization-token in the format of a cookie (NOT A JWT). When the API receives a request, it has to use said cookie to ask another service (async), which user is sending it and what role he has.
This exchange from cookie to user info should prepend any controller logic and should be applied globally.
I think this can be done via a middleware, an interceptor or a pipe, but which of those is considered the better way according to NestJS?
Honestly, I would use a guard for this kind of feature. Check if the cookie exists, if not, there's already a problem, send back a 403 (i.e. return false). Otherwise, the rest of the logic can follow and you can attach the information to your req object, thereby having it available throughout the rest of the request. As guards are the first of the enhancers to fire, this also ensures that the value is available in interceptors and certain pipes.
Stripe has a state parameter that it returns back to me to verify
https://connect.stripe.com/oauth/authorize?response_type=code&client_id=ca_ABCDEFG12345&scope=read_write&redirect_uri=https://sub2.example.com&state=asdf1234
Which is great! But what if I want to get a few things back from Stripe when it returns? Can I pass multiple pieces of information to this parameter? Is the best way to do this by stringifying and object and then parsing it when it is returned?
Great question! By design you should not pass serializable data through an OAuth2 state parameter, as it leaves open a window where a malicious party could edit that data before it's returned to your application. You should use your own application's authentication state to verify your users' identity once the Stripe OAuth flow returns to your site.
It's recommended that you use 'state' as a CSRF protection, and pass any sensitive parameters through your own application:
https://stripe.com/docs/connect/reference#get-authorize
Currently I am working on a project that combines basic authentication with the cornice / pyramid framework.
From the logging I observe that every time a url is access the used credentials get checked twice. Since in our user case this does involve a lot of database checks, it is a potential target for an (unintended) DoS attack.
In my view I define a cornice Service with a factory.
In my app setup I configured the pyramid provided BasicAuthenticationPolicy with the resource intensive check as a callback for authentication
Also in the app setup I configure the pyramid provided ACLAuthorizationPolicy for authorisation.
So I was wondering, what I am missing, as I would really like to prevent the second check to take place. (Should I cache this on the request object in some secure way?)
Found by studing the code this is intended behaviour.
This behaviour is only triggered when the authenticated_userid property is used (which I do).
Solved this issue by 'caching' call's to my authentication function via a decorator. Which should be fine as the same objects will be referenced via the function parameters.
Documentation can be found in the pyramid package pyramid/authentication.py
Im using GWT, GAE to make a web app.
I looked at a bunch of tutorials regarding implementing a login system but most of those tutorials implement it so it's mandatory to login to access the web app. How would I go about making it so that anyone can access the app but if they want to use account specific functionality, they they have the option of signing up for an account.
There are two parts to it.
First, in your client code you check if a user is logged in. If so, you allow access to the "closed" parts of the app. If not, you show a link/button to login and hide tabs/views that are accessible to authorized users.
Second, in your server code you specify which requests do not require authentication and which do require it. This is necessary if a user somehow figures out how to send a request without using your client code.
For example, in my code some requests have checkSession() called at the very beginning. If no authentication object is found for this user in session, this method throws LoginException to the client. If the authentication object is present, the request continues to execute normally and returns requested data to the client.
Further to Andrei's answer, if you want a framework to manage the sessions for you, you can use GWT-Platform, which has an excellent Gatekeeper feature.
I use it for mine and I have a LoggedInGatekeeper class. Simply add #UseGatekeeper(LoggedInGatekeeper.class) to the constructor of each presenter proxy and it checks if the user is logged in. If you want anyone to be able to access that page simply annotate with #NoGatekeeper. Easy!
It takes a bit of setting up but it's a great MVP framework. There are maven archetypes and samples etc.
Hope this helps.
I want to implement logging in for users, and regard them as "logged in" during their surfing (using sessions). I do it on Google App Engine with webapp2 framework. But the platform is not important, I'm sure you will point out the general rules to do it.
I have written the class Authorization with authorize method, and every handler inherits from this class. When some handler is triggered I first run self.authorize() and it checks whether the user has the session variable holding his login. Then I check the internal datastore to find out whether the user's session is expired (so I don't depend only on the info from the client's side).
How can I improve or simplify this approach? Do I have to do the authorization routine from every handler or I can keep it in one place?
Also the way webapp2 implements sessions look strange to me. I have to make a class with dispatch and session methods that do some magic. And if a handler inherits from this class I can use sessions inside it:self.sessions['login'] = 'Joe'; self.sessions.get('login').