I'm using angular with socket.io and express on the backend (redis/mongodb).
What's the easiest way to validate a user's password and log them into my app?
I haven't written any code for to handle this yet. but I keep seeing 10 different ways, some using sessions (which I think don't apply here since sockets+singlepage app).
If passport.js is easy to implement I'm fine with that solution. I only care about IE9+
Related
I am building a project and have written all the authentication code using a Passport Local Strategy, and using Socket.io. All was well, however once I redid the front end using React, which doesn’t behave like the browser in terms of saving cookies, my code breaks. Can anybody point me in the right direction perhaps in terms of a plug-in to make react able to save cookies to the browser?
I have been working with express-session for a long time with mongodb as session store , so now I got the chance to work with frontend framework which is angular 2 and I was wondering how to maintain session across frontend and server as both are running on different ports
So for person working on express-session is there any way to use that with angular or do I have to move to JWT
In future I would have to integrate socketIO as well to the project, So what is the right way to go about this
You can handle sessions with Angular 2+ the same way you would with any other web site. In fact, using Express Session is all you need to do, as session management is handled automatically by the browser.
I'm relatively new to the modern JavaScript web development world. I've built a very simple Node/Express back-end and a separate React front-end. My vague plan is to have users that will have permission to access certain areas of the front-end, and then have the front-end make requests to the back-end. Can the front-end and back-end share the same authentication/authorization scheme? Can they both use something like Auth0? How can I make these two secure?
I'm a little stuck and would appreciate any advice or a nudge in the right direction. I'm mostly stuck because these are two separate applications but the same "user" would technically have permissions to certain React views as well as certain Express endpoints - how they moosh together?
Thanks.
Although seems not directly related to your topic, but I would actually suggest you try Meteor if you are not planning to immediately start working on large projects (not pressing too hard on scalability).
Meteor has a builtin support for Accounts and interacts with MongoDB nicely, and it also has its own DDP protocol that simplifies API call massively. It also interacts nicely with React.
If you think Meteor might not be a good choice for yourself, you could still learn from its design policies of authorization, etc. It has quite a bit package source code that are not too difficult to understand, and should be helpful for you to learn the basic idea. (Actually, Meteor's Accounts package already implements the basic idea mentioned by another answerer, you can learn from its design principles)
When users log in to your site, issue them with an access token that they keep client side. On front-end, check if user has token and correct permissions before rendering components. On back-end, send the token as request headers to the endpoints.
I have implemented a similar case, but with the spring boot kotlin at the backend instead. My solution is using JWT token to validate the authentication and authorization.
User logins by input login form and send POST method to backend via a REST API.Backend validates credential and returns the JWT token including encrypted user_role, expiration date, etc... if valid or 403 exception
Front-end decodes the JWT (using jwt-decode lib or something else),
save it to validate the access permission to specific page in the
website based on user_role. Eg: role='ADMIN' can access to admin dashboard page, role='USER' can access user profile page, etc.
If you use express as the backend, I suggest to use the feathersjs. It has backend solutions for this and an optional front end version. Refer: https://docs.feathersjs.com/api/authentication/jwt.html
Secure Front end (React.js) and Back end (Node.js/Express Rest API) with Keycloak follow this
My question is simple. How do I securely share laravel session information with my socket.io nodejs app. I've tried many different methods, none of them worked so I'm hoping a expert will pull through. I already know I don’t want to use JWT Tokens. So I guess that just leaves the session cookie data itself. I cannot figure out how to authenticate socket.io with the cookie so that’s what I need help with. I am storing sessions using redis, and using the default authentication system with laravel.
I’ve tried using this library which is great for parsing the session. But it does not authenticate with my socket.io server.
https://www.npmjs.com/package/node-laravel-session
If anyone knows how to fix this problem I would greatly appreciate some help.
I think, you have problem with authentication problem inside socket.io, idea is that you can't share the session from application to application easily, why? because this data is processed between the client's browser (cookie) and the server ( session ), if you want to connect Laravel and Socket.io, first you have to make some kind of flow like:
When user authenticates on website, to set cookie for socket.io as
well (if host is different).
In background you have to share the session data trough database (memcached, redis etc), and with cookie. As you know, if you set laravel session param to work with database, instead of using files, laravel will automatically start saving session data into DB, so it's easy to read the session params from database.
I think you are using node-laravel-session by wrong, I mean if you have node.js application on other server and you use getSessionFromFile, it will not work. make sure you are using it correctly and it'll work. It's easy process itself to make thing like that, but mostly problem is security when you have cross-project sessions.
I have a node application that's using passport-local-mongoose for authentication. I have a second node app that's served in an iframe of the first app. I'd like to protect the express routes in the second app with the same session of the first app so that the user only logs in once, but the express routes in the second app are still protected. Is there a way for the two node apps to share a session? Or perhaps there is another approach?
Thank you.
The easiest way I can think of would be to simply store sessions in MongoDB. Then your second app's middleware could check the session passed in the request against the same database. The downside of this approach is that you have to implement some of the same authentication logic in 2 places.
Perhaps even better, you could build a 3rd microservice that handles authentication specifically. That would basically wrap your session store and centralize the authentication logic in one place. Both of the other 2 apps would then consume this service. This is an area I'm still learning about personally, and this site has been helpful: https://dejanglozic.com/2014/10/07/sharing-micro-service-authentication-using-nginx-passport-and-redis/.