I have a few internal administration web tools. Some are written in Laravel, which has its own user management system, and some are semi-static web pages whose access is managed by Apache .htaccess files. Obviously, this is a mess when I want to add or delete a user across all the system.
I am impressed with the elegance and simplicity of Passport js, and I would like to use it as a single-sign-on solution for all of my internal sites.
The architecture I have in mind is:
Is there a way to use Passport js to authenticate for Laravel, in a way that Laravel will know the user identity, but will not have to deal with password and authentication?
Related: https://stackoverflow.com/questions/31934364
Related
I am trying to build a portfolio website using react where I can showcase my projects and skills . I also want a seperate blog section in my website which lists my blog posts. I am aquatinted with node js and rest API so I can create a crud rest API for blog posts locally and use it to get all the blog posts .
How to deploy the blogs rest API online and make it secure such way that only I can access existing and submit new blog posts from my portfolio website after deployment ?
This may be too generalized of a question to give you exactly what you're looking for, but we can hit on some broad strokes to give you some idea.
Hosting. If you're using Heroku or similar, then they have their own instructions and guides on how to do deploy to their system. If you're self-hosting or are required to setup the host yourself, then you basically just need something that will load balance and auto-restart the node application so that it's always running. Commonly, you can use Docker or PM2 (or a combination of both) to do this. You can then put this behind a web server like Nginx or Apache to fine-tune your configuration.
Authentication. If the API is exposed to the public then you need a method of authentication. Commonly, you can use a system that leverages JWTs (login, sign a jwt with the user's ID, then have the client provide the jwt for each protected API request via authentication header or cookie, validate that the token hasn't expired and the user ID is correct, then respond back). You can use a middleware like Passport or write your own (imo Passport may be overkill for smaller projects).
Our tool is a Node.js server / React client running on a network with no external web access.
We would like to add robust user management including:
User definition (name, password, access level)
Password change
Login/Logout
Is there any open source libraries out there that can supply these capabilities?
Passport js library provides a lot of strategies for authentication and authorization without requiring you to reinvent the wheel. You can use any of the databases to store the user's on the backend like MongoDB, Mysql, etc.
It can also talk to inhouse LDAP or auth server API if you decide to do so. All in all, this sounds like a perfect library for you.
Here is a tutorial https://scotch.io/tutorials/easy-node-authentication-setup-and-local
I am used to develop web apps using the Meteor JavaScript framework, which handles authentication. I am now developing for the first time a web app using a Node.js (Express) + GraphQL stack on the backend, with React on the frontend, so I have to handle authentication myself.
I read a lot of things about it, and I like the idea of token based authentication. I am thinking about using JWT, so I don't have to deal with sessions.
I know there are a lot of tutorials, but each one always has a sort of disclaimer like : "this tutorial is not production ready, use it for educational purposes only...". Every time I read something about authentication, it seems to be something so difficult to implement that I shouldn't implement it myself. But I don't want to use services providers like AWS Cognito, Google Cloud Platform because I want to keep my users data in my own system and database. I don't want to be tied to a third party provider.
I know how to generate jwt tokens, refresh tokens, how to verify them, etc... I am able to develop a working auth system, but I am never sure I do it in a secure and production ready way because of all those comments I can read on the Internet.
So, what would you recommend to implement a secured and production ready authentication system in a Node.js server without being tied to a third-party provider. Do you know any complete tutorial or documentation about it?
There are several approaches to implement authentication for an application.
Use a identity server manage by you
Use a fully manage service for authentication.
Use authentication middleware.
Write your own authentication solution.
If you are afraid in vender locking I would suggest to use an authentication middleware like PassportJS which will facilitate the abstraction of authentication strategy with its implementation.
On the otherhand writing your custom authentication can be challenging in terms of security, specially finding snd fixing these vulnerabilities.
How to create a login page and check data's in a database using Rest API in angular 5.I am using Node js and Mysql as my database
There are many moving parts to creating an authentication system, and there are simply too many ways to get it wrong: storing plain-text passwords, not salting hashes, not rate-limiting queries, not having a properly configured TLS certificate, et cetera...
As you are not very familiar with these important concepts, it is highly advisable to use a 3rd-party OAuth2 provider in order to provide user authentication.
I repeat: I highly discourage implementing your own login page/fields and authentication methods for limiting database access.
As an example, take a look at this following option of using Google as an OAuth2 provider in your NodeJS application.
I'm writing a client in NodeJS that is meant to replace using a website, and it isn't my website. It uses Facebook to log in. Is it possible to log in via a Facebook username/password? It seems modules like passport-facebook are intended for use with a website that you own, which is not the case in my scenario.
I suspect that I can't login with a username and password, so I'd have to sniff web traffic of me browsing the normal website for my token for the website, and then somehow use that in Node, but I hope this isn't the case.
Thanks for your help.