On receiving a GET request in Flask, I connect to a backend database and send the response. Currently, the username and password of the database are stored in an ini file. What is the best way to encrypt the username and password?
Also is it good practice to encrypt the username and password for REST calls ? as I need to decrypt every time on receiving a request
You never store plain password in you database. Instead, you want to store hashes -- the special sum, which can't be decoded, but will produce the same result on same data.
Therefore, you can just apply this function to plain password and compare it to the one on your database
Take a look at bcrypt module:
https://flask-bcrypt.readthedocs.io/en/latest/
On your register method:
pw_hash = bcrypt.generate_password_hash('some_password')
And then you only store pw_hash in your db
On your login method just extract pw_hash from db and compare it:
bcrypt.check_password_hash(pw_hash, 'password_from_request') # returns True or False
At the same time, you can store plain username in DB if you want, there's nothing wrong with it
On your server, you cannot encrypt the username and password to access your database, otherwise you cannot access it.
Usually, you do not put them in a file, but in an environment variable.
Also see the twelve factor app:
https://en.wikipedia.org/wiki/Twelve-Factor_App_methodology
P.S.: For instance, I use batou for deployment (similar to Ansible).
The username and password are both encrypted in a gpg file, so I can check them into version control. But of course, when I deploy the app to production, both values need to be un-encrypted.
https://batou.readthedocs.io/en/stable/
I'm trying to connect to my mongoDB server via the connection string given to me by mongo:
"mongodb+srv://david:password#cluster0-re3gq.mongodb.net/test?retryWrites=true"
In my code I am calling the connection through mongoose like this (obviously putting in my password):
const mongoose = require('mongoose');
const db = 'mongodb+srv://david:<password>#cluster0-re3gq.mongodb.net/test?retryWrites=true'
mongoose
.connect(db, {
useNewUrlParser: true,
useCreateIndex: true
})
.then(() => console.log('MongoDB connected...'))
.catch(err => console.log(err));
When I run the code I am getting the following error
"MongoError: bad auth Authentication failed."
Any ideas of what that could mean?
I had the same problem, and in my case, the answer was as simple as removing the angle brackets "<"and ">" around <password>. I had been trying: my_login_id:<my_password>, when it should have been my_login_id:my_password.
I think you're confused with the mongodb account password and user password.
You should use user password, not account password.
That was the reason of my case.
It happens because your provided password in connection string is wrong and most probably you have mistaken cluster password with your login password, in simple words while connecting with Atlas Cluster we can't use our account password by which we login to the Atlas website. In both case we can reset our cluster password and solve this issue.
To Solve The Issue Follow Below Given Steps
Step 1:- Click Database Access From left Side Navigation of MongoDB Atlas page.
Step 2:- Select your username and and click on the edit button from right side.
Step 3:- Click to change password.
Step 4:- Click update user.
While changing password try to keep password only alphabetical because special characters need encoding.
that's all now you can connect.
Don't use creds in the URI, use like this instead:
mongoose.connect(mongodb+srv://clusterAnything.mongodb.net/test?retryWrites=true&w=majority, { user: process.env.MONGO_USER, pass: process.env.MONGO_PASSWORD, useNewUrlParser: true, useUnifiedTopology: true })
In my case left and right characters are there
like this:
<Password>
so changed to:
Password
Checklist to follow:
1) Make sure you're using the correct password (the DB user password and not the Mongo account).
2) When entering your password, make sure all special characters are URL encoded (for example: p#ssword should be p%40ssword).
3) If you don't remember your password of your DB user - go to Database Access (if you're using Mongo Atlas) -> select your DB user -> edit -> create a new password -> don't forget update to click on 'Update User'.
(!) Security warning: Do not write the password in plain text inside your code - Follow the suggestions given here.
Are you writing your password in the place of <password>? If your aren't, a good practice is to create a environment variable on your operating system and call it using process.env.[your variable]. Ex:
const password = process.env.YOURPASSWORDVARIABLE
const db = 'mongodb+srv://david:'+password+'#cluster0-re3gq.mongodb.net/test?retryWrites=true'
Better yet, you can also put your whole url connection string inside a env variable:
Adding to above answers, the issue seemed to revolve around a wrong Database password input for me, because of a distortion of what i read as my current password from the Atlas menu and what MongoDB Atlas really saved as my current password.
There seems to be a "bug" when using the "Copy" button when choosing a new password.
What helped me was the following:
Open Atlas in the web
Go to "Database Access"
Click "Edit" on the Database user
Choose "Password" for authentication method
Click "Edit Password"
Click "Show" in the password field
Click "Autogenerate Secure Password"
DO NOT press "Copy" button to copy, but use manual selection via mouse and copy the text via right-click of your mouse or keyboard command
Click "Update User" below
Then:
Go through the list of Database users to make sure that no other Database user has the same password you just newly generated.
Now try your Username/Password combination again using this connection string (leaving out the placeholder characters '$' and '[]':
'mongodb+srv://$[username]:$[password]#$[hostlist]/$[database]?retryWrites=true'
I noticed that when I autogenerated a new password by clicking and then clicking the "Copy" button, that the autogenerated password was reset to the old password. Therefore I assumed the new autogenerated password is correct, but in reality it was my old password, which in addition was the same as for another Database user. I could not comprehend that until I clicked "Show" on the password input field.
Not only the password
Check all the fields it could be the password the user or the database. If you misspelt any of these you will have an authentication error.
Go to the database access on the left pane under security:
And in case change the password using edit button. Let's say your password is: P#sW0rd
You can compile the URL using the information contained in the Database Users screen:
client = MongoClient("mongodb+srv://giac:P#sW0rd#cluster0.wjdtk.mongodb.net/testc?retryWrites=true&w=majority")
The other answers did not say that even if you mispell the database name you have a authentication error.
This worked for me
mongoose.connect(
`mongodb+srv://${process.env.MONGO_USER}:${process.env.MONGO_PASS}#cluster0.adv0t.mongodb.net/${process.env.MONGO_DATABASE}?retryWrites=true&w=majority`,
{
useNewUrlParser: true,
useUnifiedTopology: true,
}
);
Create a ".env" file (you need to install dotenv before this ) in the parent directory(if you choose a custom location, add the following in server.js / app.js).
require('dotenv').config({ path: '/custom/path/to/.env' }) //uses custom location
Otherwise, add this in the server.js / app.js (the one that initiates server).
require('dotenv').config() //uses default location
In the ".env" file, define the user, password and database like this
MONGO_USER=uSerName
MONGO_PASS=p#sSW0rd
MONGO_DATABASE=myDatabase
I faced a similar issue, weirdly enough it got resolved when I created a new user in database access. This time though I clicked on autogenerate password. It should not matter but in my case it solved the issue.
I forgot to update the user after generating and copying the password and was wondering why it wasn't working. I saw the update button later. I was not visible to me earlier. lol. Solved the problem.
Database Access => edit user => generate/copy password => update it!
It worked for me.
remember to make sure you have updated it.
Just remove the angle brackets from both sides of your password.
Wrong Answer :
const db = 'mongodb+srv://username:<password>#cluster0-re3gq.mongodb.net/test?retryWrites=true'
Correct Answer :
const db = 'mongodb+srv://username:password#cluster0-re3gq.mongodb.net/test?retryWrites=true'
Finally, it worked for me to used that connection string with a lower grade that NodeJs versions(2.2.12 or later) cluster url. And After that make sure you have to whitelist your current IP Address from Atlas MongoDB. It should display like 0.0.0.0/0 (includes your current IP address) in Network Access section in Atlas MongoDB.
Connect to cluster NodeJs version 2.2.12 or later
And the main issue was where I am storing that connection string url in a constant that part. So initially,I was storing that connection string value in single/double quote but every time I was getting Authentication failure error as it was unable to parse that "Password" value from Atlas mongoDB . So I used backtick (``)instead of single/double quote to store that connection string.
Sample code where I am connecting mongoDB Atlas through a NodeJs application.
const DB_USER = 'your username in atlas mongodb';
const PASSWORD = encodeURIComponent('your password in atlas mongodb');
const url = `mongodb://${DB_USER}:${PASSWORD}#cluster0-shard-00-00.3ytbz.mongodb.net:27017,cluster0-shard-00-01.3ytbz.mongodb.net:27017,cluster0-shard-00-02.3ytbz.mongodb.net:27017/sample-db?ssl=true&replicaSet=atlas-z26ao5-shard-0&authSource=admin&retryWrites=true&w=majority`;
mongoose.connect(url,
{
useNewUrlParser: true,
useUnifiedTopology: true,
useCreateIndex: true,
useFindAndModify: true
})
.then(() => {
console.log('Connected to database !!');
})
.catch((err)=>{
console.log('Connection failed !!'+ err.message);
});
I just had this problem knowing that I was using the correct username, password and DBname.
I tried to change the password for the db user to double check, but it still didn't work.
I then instead created a new user, gave the user admin role, set the password etc, and then used that new user and password (same dbname) for the connection and it worked.
I don't know exactly what the issue was, but hoping it can help some of you save some time :)
After spending almost an hour messing with the URI, changing permissions and configurations and whatnot, I found out I was getting this error message because of a VPN connection I had active. After shutting down the VPN I was able to connect.
So if nothing else works for you, there might be something in your system preventing a connection to be successfully established and mongodb is just responding with bad auth
I had this same challenge but I discovered that making my IP address set to my current IP prevented me from accessing the services. Making the database accessible from anywhere was appropriate to access the database either using mongo shell or mongo compass.
The same problem i faced with mongoDB password authentication failed.
"Error: bad auth Authentication failed."
As per Pawan's suggestion given above i replaced my login password in MONGO_URI link with database password and it works. be sure to check that one also.
If you not generated the generate new one or if created earlier then replace with new one.
In my case, my password was wrong, to diagnostic the error, I have been follow the next steps:
I have to try connection by command line:
Whit this command: mongo "mongodb+srv://cluster0-j8ods.mongodb.net/test" --username :
The response was again: 2020-04-26T11:48:27.641-0500 E QUERY [js] Error: bad auth Authentication failed. :
then I'm change the password for my user, in my case, root user. and thats it, I'm authorized
mongodb+srv://jehat123:<password>#jehatarmancdeniz-x2yf7.mongodb.net/question-answer?retryWrites=true&w=majority
Delete all of password part
Use like this:
mongodb+srv://jehat123:yourpass#jehatarmancdeniz-x2yf7.mongodb.net/question-answer?retryWrites=true&w=majority
You can also get rid of this error by creating a new database user by going to Database Access from the left side and then go to Add New Database User from right right.
Now create a new username and password, click OK. Now replace this new username and password into the MongoUri.
In My case the above error got resolved by setting password variable directly.
DATABASE = "test"
#PASSWORD = os.environ.get("YOUR_PASSWORD") #This line was causing an error in code
PASSWORD = "YOUR_PASSWORD" # I added directly password variable
client = connect(
DATABASE,
host=f"mongodb+srv://mano:{PASSWORD}#cluster0.e2arj.mongodb.net/?retryWrites=true&w=majority",
alias="default",
)
Changing password worked for me
nB: Not the atlas password
mongodb+srv://david:password#cluster0-re3gq.mongodb.net/test?retryWrites=true
Replace 'password' with the password you registered for the username specified.
Replace 'test' after net with the name of the db you created in collections.
For me it turned out to be, that I had to tab out of the password field on the MongoDB Atlas page. Before clicking "Update User"
Just go to the "MongoDB Users tab" where you will find the user list. Click on edit where you can reset the password. Sometimes resetting the password can resolve the issue.
if you having this issue and learning mongo by official mongo trainings use m001-mongodb-basics as password for your db. And the correct db name is Sandbox (if you followed all steps)
This happened to me recently, I found out if you have updated your Mongo Db Password recently, your older databases will still be using the old password.
You can get around this by adding a new user to your Mongo db account or just use the old password.
Go to Database on the left hand side
click on browse collection
click on Add My Own Data
provide database name and collection name
Again click on database
click on connect ,connect your application
Select node.js
copy the connection string and keep it in your server.js
9)click on database access , edit password, autogenerate password
Copy the password with mouse , click update user
replace in the url string with this password and you are done
First, check your password(regenerate)
if not solved.
please check your MongoDB connect URL
this piece of code is unique,
mongodb+srv://reduxJobBox:<password>#cluster0.b08r8ak.mongodb.net/?retryWrites=true&w=majority
I am using PDFBOX - 1.8.13, it seems that PDF Security is not working as expected. If owner password is set and user password is not, PDFBOX allows to decrypt my PDF File if I don't provide owner password . Please help where I am doing WRONG.
The code for encrypting my pdf file :
PDDocument document = PDDocument.load(new File("/home/dummy/dummy.pdf"),null);
AccessPermission perms = new AccessPermission();
perms.setCanAssembleDocument(false);;
perms.setCanExtractContent(false);
perms.setCanModify(false);
perms.setCanModifyAnnotations(false);
perms.setCanExtractForAccessibility(false);
perms.setCanFillInForm(false);
perms.setCanPrint(false);
perms.setReadOnly();
perms.setCanPrintDegraded(false);
perms.setCanExtractForAccessibility(false);
document.setAllSecurityToBeRemoved(false);
StandardProtectionPolicy policy = new StandardProtectionPolicy("AdminPasswordTest", "", perms);
policy.setPermissions(perms);
document.protect(policy);
document.save("/home/dummy/dummy_secured.pdf");
document.close();
The code for decrypting my PDF
PDDocument doc = PDDocument.load("/home/dummy/dummy_secured.pdf", true);
if (doc.isEncrypted()) { //remove the security before adding protections
doc.decrypt(""); //This should not be DECRYPTED because owner password is not provided
doc.setAllSecurityToBeRemoved(true); //This user is not provided this permissions
}
doc.save("/home/dummy/dummy_decrypted.pdf");
doc.close();
it seems that PDF Security is not working as expected.
In that case you need to adjust your expectations. ;)
This is effectively how PDF password encryption works:
The user password is the password actually used for encryption and decryption.
The owner password allows to access (a pre-processed version of) the user password in the PDF which then can be used to decrypt the document.
The empty user password "" you used for encryption, therefore, is all the password anyone needs to decrypt the PDF.
Using the owner password instead of the user password also allows you to decrypt the PDF (see above, it allows the PDF processor to retrieve the user password to then continue and decrypt the file) and additionally tells the PDF processor that you are owner of the document and, therefore, shall not be restricted by any of the permissions not given in the document at hand.
PDF libraries usually either don't care about the permissions at all (AFAIK PDFBox doesn't) or have a switch to override restrictions due to a missing owner password (e.g. iText).
Thus, encrypting a PDF using an empty user password (to restrict permissions while letting anyone open the file) is an obstacle which is really easy to overcome.
I installed a clean jboss 7.1.Final Server.
after running it, I made an sh add_user.sh in the bin folder
I chose a) for Management User
I entered:
Realm (ManagementRealm) : joerg
Username : joerg
Password : superpassword
Re-enter Password : superpassword
when I entered then http://localhost:9990/console/ it was forwarded to http://localhost:9990/console/App.html
the problem is, that if I go to the URL http://localhost:9990/console/App.html I can't log in, because i get the typical HTTP-Basic Authentication promt for username and password (looks like there is a .htaccess but i never made one)
If I try
login: joerg
password: superpassword
it is not working
(on the shell the username and password works with the jboss diagnostic reporter jdr.sh)
In your example, you will need to enter the ManagementRealm as the realm that your primary user account will resolve to. Your example would be:
Realm (ManagementRealm) : ManagementRealm
Username : joerg
Password : superpassword
Re-enter Password : superpassword
From the official documentation, this is explained as follows:
It is important to leave the name of the realm as 'ManagementRealm' as
this needs to match the name used in the server's configuration, for
the remaining fields enter the new username, password and password
confirmation.
Provided there are no errors in the values entered you will then be
asked to confirm that you want to add the user, the user will be
written to the properties files used for authentication and a
confirmation message will be displayed.
With JBoss Application Server 7.1.x being so customisable, you can build your own realm configurations as required, but for the initial instance, make sure you use the ManagementRealm.
Folow these steps:
open jboss-as-x.x.x.Final\standalone\configuration\mgmt-users.properties and delete the user (i.e delete the line which has the username you want to use, such as admin=2c7123264278731425d1f53aeb55da1e)
open jboss-as-x.x.x.Final\domain\configuration\mgmt-users.properties and delete the user (i.e delete the line which has the username you want to use, such as admin=2c7123264278731425d1f53aeb55da1e)
run jboss-as-x.x.x.Final\bin\add-user.bat and add user in the following way:
Select user type a
Realm (ManagementRealm) : ManagementRealm
Username : admin
Password : password
Re-enter Password : password
If you get JBAS015243: The user ‘admin’ already exists in at least one properties file. error, then you didn't complete steps 1 and 2.