How to destroy the session of a particular user using his/her user_id ?
I have an events like when admin assign role to a normal user then, if the normal user is logged in, I have to destroy the session of the normal user.
Any help would be appreciated.
Thanks
The session of the logged in user has an id that you can save after successful login: req.session.id. Then you can retrieve that user's session from the memory store at any time and destroy it using:
sessionStore = express.session.MemoryStore();
sessionStore.get(id, function(err, sess) {
sess.destroy (function (err) {
});
});
Related
I created a function to create a new user with the following code, which creates the user and changes their displayName:
export function handleSignup(email, password, name) {
firebase_auth.createUserWithEmailAndPassword(email, password)
.then(function(reponse) {
reponse.user.updateProfile({displayName: username});
})
.catch(function(error) {
// Handle error
});
}
The problem is that anyone can make the same username, it doesn't check for uniqueness. Is there a way for me to request a user by displayName and see if it already exists before attempting to create the new user?
Firebase Authentication doesn't enforce uniqueness of any of its user properties. Only the assigned UID is guaranteed to be unique among all users in a project.
If you need to implement unique user names, you will have to use something else to help you with that, such as a database, and link that data to the user account using the user's UID.
I am trying to verify that somene if changed the JWT token from browser .The user should logout.
authorisedUser has some fields like username,id.
My code is working for only the case when any of this is changed and user is getting logged out.
But if i replaced this with another valid authorisedUser ,user is not logged out
So user A can user user B cookie and have access to his data.How should i change below code to verify it.
This is a light weight application so use of session or database is not there.
jwt.verify(req.cookies["authorisedUser"], "shhhhh", function (err, payload) {
if (err) {
res.redirect(db.env.application.logout_url+'?error=true');
//res.redirect(db.env.application.logout_url);
}
else{
//normal code}}
I am working on a NodeJS/express application using passportJS for sign in/sign up. I have defined a user model for all users, but want only certain users within my administration to have access to editing certain models. I was thinking of adding a boolean field, like isAdmin to determine this, but I don't know how I would verify admin users. To be specific, how would I determine when I need to generate a token for the admin user? How do I differentiate users in my administrations from ordinary users? I was thinking of having a separate locally hosted website that connects to the same database that I could use to manage models only from my computer. Would that work?
Any help would be greatly appreciated!
Thanks!
There are many option available. i can explain you some of them.
1) As you said you can define boolean field as is Admin true of false.
-> if you are using this option and you are using passport. You must get user in your request object.Before hitting api or particular endpoint you can set middleware to verify that requested user is admin or user.
file
Filename : ../services/auth.service.js
exports.isAdmin = async (req, res, next) => {
// req.user is object that you will get after successfull login. change accordingly
// Or you can check from db also. Get object logged in user from db by their email id.
// And check condition
// Check Role if admin or not
if(req.user.isAdmin) {
next(); // If verify it will redirect to next process
} else {
return res.status(401).json({
Error: true,
message: 'You are not authorized to perform this action.',
})
}
};
You can use this function as middleware.
const auth = require('../services/auth.service.js')
router.get('/*', auth.isAdmin, (req, res) => {
res.status(200).json({ message: "Hello from Admin side."})
});
Visit : https://github.com/mihir-kanzariya/Nodejs-CRUD
I'm currently using express-stormpath for authentication with stormpath in my node.js application. I'm also using stripe. I'm attempting to figure out how to store sessions correctly. Here's what I plan to store in a user session:
session: {
sp_user: { //stormpath user details }
db_user: { //details from my DB }
stripe_expiraton: '234253843923' // unix timestamp
}
So on login I'm planning to create a session for the user with a 7-day expiration. On every API call express middleware will check to see if the stripe expiration date has arrived. If it has, or if there is no expiration date that means we need to redirect the user to the payment page. Otherwise will assume everything is normal and paid up and carry on.
Should I be storing session information this way? I'm not super experienced with session management.
What I'd recommend you do is store this information in your User Account's custom data store. Each Account in Stormpath lets you store any JSON information you want.
This is going to be a much better solution that storing your data in a session, as it might get wiped by the user at any time if it's only client-side.
Also: for Stripe, it doesn't really make sense to store a timestamp in most cases. The way you typically do billing is:
Collect the user's billing information.
Send it to Stripe using their JS APIs, you'll then get back a token.
Send the token to your Express app.
Use that token to create a Stripe Customer Object. This way you can bill the user in the future.
Store the Stripe Customer ID in your Stormpath Custom Data, this way you know how to bill the user later on!
With the above flow, you can automatically bill the user when you need to, instead of redirecting them to the payment page all the time. This also means you don't need to worry about session expiration, etc., and only need to redirect the user to the payment page if their card is expired or no longer valid.
Here's how to do it inside of a route:
app.post('/blah', stormpath.loginRequired, function(req, res, next) {
req.user.getCustomData(function(err, data) {
if (err) return next(err);
data.stripeCustomerId: 'xxx'
data.save(function(err) {
if (err) return next(err);
});
});
});
The above code will save your Stripe Customer ID inside your Stormpath account.
You can then retrieve this data at any time by saying:
req.user.getCustomData(function(err, data) {
if (err) return next(err);
data.stripeCustomerId; // this will be the value you've previously stored
});
Hope that helps =)
I would like to only allow one instance of a user logged in. If I log in on this computer, and then go to another computer to login, the previous session should be destroyed. How can I do that? How can I access all sessions so I can destroy the right one or ensure that session's userID is unique? The only documentation I've seen for accessing the session regards req.session, which is only for the current session.
The typical way to implement this would be to save a user's session ID in the database, and whenever they log in, destroy the session whose ID was previously stored. Sails uses Connect's session store for session management. The session ID is exposed as req.sessionID, and the underlying session store is exposed as req.sessionStore. So, given the session store interface described in the Connect docs, you could do something like the following in your login action:
// Destroy the session from the previous login
req.sessionStore.destroy(loggedInUser.currentSessionId, function(err) {
if (err) {return res.serverError(err);}
// Save the session ID of the current login
User.update({id: loggedInUserId}, {currentSessionId: req.sessionID})
.exec(function(err) {
if (err) {return res.serverError(err);}
// Continue your login action...
});
});