A user logs into my site through oauth via the url
http://provemath.org/index?method=google&state=KasQzeMyWQj3YTvF4aZGi9smLUMwXa&code=4/OAeBwzZLSqoHtwBgEHojEQ1_FFO7TK03j5UUyF2Bdng#
I don't really like the messiness of the parameters in the URL, and currently it causes an issue when they reload. So what I'd like to do is redirect them to provemath.org in order to get those parameters out of the URL, but pass those same variables along some other way.
Is it possible to do a redirect (something like self.redirect('http://provemath.org', self.request.uri)) and pass in some variables not through the URL?
It doesn't look like the possibility is built-in:
http://www.tornadoweb.org/en/stable/_modules/tornado/web.html#RequestHandler.redirect
It's not a part of the redirect itself, but you can pass this kind of information around with cookies (and this is the usual way of handling an oauth redirect). Typically with oauth you would configure your oauth callback URL to be something like provemath.org/oauth (not provemath.org/index), and then in your /oauth handler you'd process the parameters and set a cookie. If you're using tornado.auth.GoogleOAuth2Mixin this would look like
user = yield self.get_authenticated_user(
redirect_uri='http://provemath.org/oauth',
code=self.get_argument('code'))
self.set_secure_cookie("user", json.dumps(user))
self.redirect("/")
(or save user to a database and just put a user id in the cookie)
Related
So I have few things to say I don't want to use cookies so things like express-session doesn't come as option.
I use nodejs with express with no front-end JavaScript and mysql as database. I don't really know how to do it so I would like to hear your opinion.
I already tried to search on internet.
When dealing with regular web pages, there are only four places in a request to store information that would identify a session.
Cookie sent with each request
Custom header on each request
Query parameter with each request
In the path of the URL
You've ruled out the cookie.
The custom header could work for programmatic requests and is regularly used by Javascript code with various types of tokens. But, if you need a web browser to maintain or send the session on its own, then custom headers are out too.
That leaves query parameters or in the path of the URL. These both have the same issues. You would create a sessionID and then attach something like ?sessionID=92347987 to every single request that your web page makes to your server. There are some server-side frameworks that do sessions this way (most have been retired in favor of cookies). This has all sorts of issues (which is why it isn't used very often any more). Here are some of the downsides:
You have to dynamically generate every single link in a web page so that it will include the right sessionID as part of the link so if the user clicks on it, the resulting http request will have the right sessionID included.
All browser caching has to be disabled or bypassed because you don't want the browser to use cached web pages that might contain the wrong sessionID.
User bookmarks basically don't work because they end up bookmarking a URL with a sessionID in it that won't last forever.
The user sees sessionID=xxxx in all their URLs.
Network infrastructure that log the URLs of requests will include the sessionID (because it's in the URL). This is considered a security risk.
All that said and with those tradeoffs, it can be made to work, but it is not considered the "safest" way to do it.
I have a Flask Web-App with lots of different subpages that redirect to each other. Up until now I always pass a HTTP Parameter next.
Lets say the User comes from
/old/url
and visits
/new/url?next=/old/url
then I just parse the Http request and check if there is a next param:
return redirect(request.args.get('next') or url_for('.index'))
The problem that I found is that I also have an API endpoint for deletion.
So there could be a malicious crafted link like:
/new/url?next=/item/delete/<item_id>
So when a user is redirected that item is deleted. And because the user is most likely authenticated the server will treat the request as a valid request.
Are there any best practices for stuff like that (either my api endpoint or the redirections)?
Greetings
When a user land on the home page, the website does an ajax call to api/posts to retrieve a list of posts.
What I want to do is to make that url accessible only from the site, that
means even a cul http://locahost:3000/api/posts should not work.
I've looked for tons of articles and seems that the best way to do it is to pass a secret token on the requests headers + HTTPS, but the issue is there, that token will be stored on the client side so some guys that know a bit about security could eventually find it.
Ideally I would like to do the checking on server side only without passing anything from the client.
I'm using express
I have a node.js web app, and I'm working on getting the user logged in and authenticated. I'm using pug to template things, mysql, and express.js.
I use bcrypt for hashing the password, and that's all working right. My problem lies with what to do when the password is incorrect, and how to tell that to the client, as the checking happens on the server.
Initially I was using socket.io, but I moved away from that. Then, I used a redirect to /login?error=true. Now that I'm using pug templating, it can't find the view. One solution would be to simply redirect to a whole new page, /loginfailure, but I feel like I should be able to accomplish this without redirects.
I see res.json(), but when I use that, the client side renders it and I end up with a blank page that's just the json that I sent. Is there a way to send json so I can do something with the json data client side, rather than have it just render the data?
What's the best way to send data from the server to the client, preferably not as a redirect?
I'm looking into AJAX now, and that seems like it has potential. The issue I'm having is that if I use res.send or res.json it still renders the data, rather than passing it to the callback of the ajax call. Suggestions?
Typically in express, and in whatever file you have your routes, you can implement an auth service to make sure that they are logged in to even see the rest of your api. Usually I'll give tokens to users, once they've been authenticated then I would let them see the rest. You can also use a service like ui-router and create states for your app, and if they don't have correct login credentials typically they would stay at the home page which would be the redirect. You could also alert them with a modal or something saying invalid email/password.
User's can log in from any page.
I'd like to have the form redirect to the current page the user is on and clear the POST data so they can refresh without problems.
I can't seem to figure out how to do it, or find how to do it, without using an external library or middleware.
Any help would be appreciated!
EDIT:
There is a login form that appears in the top of every page. The user may enter their credentials and the form's action leads to itself.
The server checks to see if a user is logging in, and if the correct POST variables are set, it sets the required various session variables.
I'm wondering how I can redirect the user to the page on which they used the login form.
Since you don't want to use a framework like Express, I think you're either going to have to implement some form of session management yourself (to keep track of where the user came from), or use the Referer HTTP header (which might not always be sent, though) to redirect them back once they are authenticated.
Of course, you're going to generate those redirects yourself:
res.writeHead(303, { Location : req.headers.referer });
res.end();
Or, if you're not using a separate URI that the credentials are posted to (like /login), but just want to 'reload' the current page, you can use this:
res.writeHead(303, { Location : req.url });
res.end();