I have several apps with node.js & passport using oauth (openstreetmap oauth).
e.g.
domain.com/app1
domain.com/app2
There is a proxy distributing the requests to each app.
I have tried to use the same secret & key in both apps, but as soon as I open one app, I have to login again.
I store the session with connect-pg-simple.
What could be an approach to use the oauth login and "session" from both app? Of course both apps needs the sessions to store additional data.
Would it be a solution to have a shared session table (every app has his own postgres database) ? but i assume this can result in merging data problems, when both apps want to update the store ?
My idea is to provide several small node.js / postgres apps, not depending on each other, but using the same comfortable oauth login.
Related
I have some 30 different applications written in node js (expessjs). I am building single login for all, if user login into one app then he can access all other apps with one session, I am sharing session secret on all apps for that,
Problem is req.session is now shared with all apps, if any app store anything in session for local use of that app is also share will all apps,
I want to resolve this problem something like two sessions etc one can be shared will all apps and one for local use of that app.
Anyone have any idea please share.
Module used
express-session, cookie-parsor, redis-store
[MODIFIED]
Local data also need persistent, since few apps have multiple instances.
First case is session flash data
Second case is user permission details
Thanks
Background
I've been out of the web app development realm for a few years and I've recently come back into it. There are a few questions I have about best security practices for performing the following tasks.
I'm developing an electron (node.js) application that will authenticate user credentials using my remote application server. On my server I have a MySQL database which will store the usual assortment of user account and application data. Additionally, the electron application will have a local sqlite database that I will periodically be updated to keep things in sync with the remote MySQL server. The Sqlite database is there to allow the application to continue to function should the electron app be used in an offline environment or in case the remote server goes down. I intend the application to be online first with an offline fallback.
Once the user authenticates in the electron app, the application will allow the user to do their work, and when the user is done, their work will be submitted to a 3rd party by posting that work to the 3rd party's API. The first time a user logs in, they will be asked to authenticate with the 3rd party API using OAuth2 and an api access token will be given by the 3rd party upon successful completion of this authentication procedure. This token will be stored in the remote MySQL database as well as the local sqlite database.
Here's the kicker. There will be multiple machines running this electron application so keeping everything in sync between all of these installations is a necessity as the same user may be using any one of these machines on a given day.
The Questions
With the background information out of the way, here are my questions:
If I hash and salt user passwords prior to storing them in the database: is SHA-512 still a secure hash, or is there another algorithm that is better?
The 3rd party API token is essentially the user's password to accessing the 3rd party API. I intend to treat it as such and give it the same treatment as I would a password. Since hashing is one-way and therefore not an option, how could I best encrypt the API token for storage in the database? My current thought is to use AES with a long randomly generated string that is stored in my server application's configuration file as the secret key. In this case, if the database is breached, the secret key would not be included with the data. To acquire the secret key the server itself would have to be broken into. Is this the best way of going about this?
Upon application startup or when manually triggered, the local electron app will query my remote server to determine if there has been any changes to the database since the local sqlite database was last updated. If there are changes and a local update is needed, the remote server will send back a response with all the things that have changed (probably in a JSON format) since the last update. The connection between the local application and the remote server will be encrypted using TLS (https). Is this sufficient to protect the data exchange (which contains password hashes and the like) between the local application and the remote server or should the JSON object be further encrypted? Is this even a good way to go about syncing data?
I appreciate any and all help. I'm a bit out of touch with some of the current best practices, and this is my first actual production application in a long while, so I want to make sure things are done properly.
I'm starting up a new project using Couch DB and a react native front end. I was wondering what is the recommended way of doing user authentication. weather it is setting up users in Couch DB or going through, for example, a node server to process user credentials and get a token for them and whatnot. or if there are any other ideas, I'd greatly appreciate that.
CouchDB authentication system is a bit limited:
You can't revoke sessions
It somehow hard to integrate third party authentication (facebook, google+)
Password recovery/reset is not available by default
Since you're building a client application, you can't implement password recovery on the client side. You'll need a backend service that handle this.
It all depends on your need. You can easily start with CouchDB's auth system and add a auth service on top of CouchDB later.
How to create a login page and check data's in a database using Rest API in angular 5.I am using Node js and Mysql as my database
There are many moving parts to creating an authentication system, and there are simply too many ways to get it wrong: storing plain-text passwords, not salting hashes, not rate-limiting queries, not having a properly configured TLS certificate, et cetera...
As you are not very familiar with these important concepts, it is highly advisable to use a 3rd-party OAuth2 provider in order to provide user authentication.
I repeat: I highly discourage implementing your own login page/fields and authentication methods for limiting database access.
As an example, take a look at this following option of using Google as an OAuth2 provider in your NodeJS application.
We have 3 nodejs web application running on same domain name on same vps with multiple subdomains and implementing passport authentication for each. We wanted single user be able to access all application with single account and for that we have added accounts.example.com as fourth application solely for purpose of account management. The requirement is - once user is authenticated in accounts.example.com, how to enable user to access rest of the three web application with that session.
you can share your session in redis-server.if you use express,you can try to use connect-redis
https://github.com/visionmedia/connect-redis
Try Hands on CanSecurity... It tops the chart for node.js Single sign on.. Hope this proves fruitful https://github.com/deitch/cansecurity