I have a web site and every client has his own account. When clients create new articles, titles should go to their own twitter accounts.
The question is how to make it in background? I can ask user for twitter login/password - and save this data in my database. But the problem is with security: password will be stored unencrypted.
Does twitter have better way to organize this flow?
thank you
p.s.
to make it clear - background sending is must - as some clients use API to access my services
OAuth is the solution to your problem. OAuth is supported by Twitter.
By using OAuth, each of your users may authorize you to post tweets on their behalf. You will get a token for each user. You must store this token in your database, but you will not need the end users username or password.
Related
I am trying a post-call to generate an access token using the client username and password. I would like to know how we can achieve this through Node Js Code.
Generally speaking, access_token are rattached to the OAuth2 authentication framework, which doesn't require the application owner (you) to have access to one of your user email/password. This is a more secure approach that is broadly adopted.
The way OAuth2 works on the Google Calendar API is a 3-parties (or 3-legged) authorization. Let's take the example of a user that browses your website and want to sign-in using its Google Account. The steps to authenticate him are the following:
The user clicks on "Sign-in with Google"
The application owner (you) performs a request to Google saying that a user wants to connect (that's the OAuth consent screen)
Google replies by giving you a URL (authorizationUrl) where to redirect the user
On that URL, the user is prompted with several information about your application and can grant access.
When the user has granted access, Google will redirect the user to your application success page (callbackUrl) with a unique code.
Using that code, the application can retrieve an access_token, which temporarly lets your application performs requests on behalf of a user.
These steps are a rapid overview of the OAuth-flow, also known as the OAuth dance. To make POST requests to the Google Calendar API, you will have to perform that OAuth dance for every single of your users.
Implementing that flow can be tricky. Fortunately, Google gives very helpful documentation on that. If you don't want to bother, you can also use API-tools (like Pizzly) that takes care of that for you.
A user can create an account in my App only with his work email.
Example: john#xyzcompany.com
After he creates an account, he can link multiple social media accounts to his profile.
Example: john#gmail.com, john2#gmail.com
I'm using MEAN stack to develop the App.
When a user logs in to my app, I'm creating a JWT token to authorize all his future requests to the server.
When it comes to Social Media accounts Integrations, After successful authentication I'm able to receive the accessTokens from these Social Media to the backend callback URL. I need to link the tokens to the right user. Is there anyway I can pass my JWT token along with the callback URL to identify which user has made the request, because I cannot identify the user based on the email in his Social Media Account?
I was able to solve this using socket.io. But I feel it is unnecessary to use sockets for simple authentication.
Is there any other approach to solve it? I have researched online, few of them suggested using passport. I don't fully understand how passport works, I just feel it is just a middleware to authenticate API requests from users, which I'm doing anyway using a custom function.
Could someone explain whether it is possible to pass JWT in callback URLs using passport strategies?
What is the right approach to handle such authentications in a MEAN stack app? I'm stuck with this issue since the past week, really looking forward for a good solution.
I have encountered this type of situation in one of the large scale applications I have been working for and the approach we used to handle it was to store the jwtToken in redis and then retrieve it back with the help of user cookies. Let me explain it in more detail -
Send a new Cookie for the user when the user opens the login page. The cookie should contain some unique id or code against which we will save the JWT token,. Eg: res.cookie('jwtIdentifier', newid())
Now, when the user logs in, generate the JWT token and save it to your redis against the cookie jwtIdentifier's value. Eg: redisHelper.set(req.cookies.jwtIdentifier, JWTTOKEN)
At last, when the login is successful and the user is redirected back to your app, you can retrieve your JWT token again for the corresponding user using the cookie. Eg: redisHelper.get(req.cookies.jwtIdentifier) This will give you back the JWT token that you can then use across your application for that specific user.
Hope it's clear, let me know if you have any questions with this implementation ;)
You might try using client side facebook authentication as described here
https://theinfogrid.com/tech/developers/angular/facebook-login-angular-rest-api/
in this case in angular app you have facebook token alongside your app token and you can send them to your backend to identify the current user.
on backend part you eill call facebook to get profile data from accessToken and then store user profile id and depending on your business you might need also to store the access token
I am developping a REST API with node.JS. I saw a lot of tutorials to secure my API, especially with JWT Library, but I think about an issue to this process :
I need to ask to my users to signup sending to my server an id and a password that I can store in my database to generate a token for the following actions. But what if a malicious user wanted to add a lot of user to my database by sending to the URI of my server a lot of time informations to sign up a lot of time ?
Is there a way to prevent an "attack" like this ?
Is Auth0 can help me ?
What you are looking for is something to limit or throttle requests made to your API endpoints. A good solution is to set up a middleware such as express-rate-limit.
I am trying to implement Google's
One tap sign-up and automatic sign-in.
I can successfully prompt the user for sign-on, get an ID token from Google, and validate it on the server. Where I am lost is what do I do with the ID token once I have it? Google's documentation is vague.
I get the impression that I send something back to the browser to store in Session Storage, but what do I send and how I use it to verify that the user is authenticated on future requests.
If you're all the way up to "Create an account or session" in that Guide, you're pretty much done with the problem of integrating with Google Identity.
There is nothing to return to the browser from Google's perspective. The client-side API has retrieved the token, you've sent it to your server, your server has used it to successfully verify and extract the user's Google account information, authentication is complete.
What happens next is your decision. It depends what your website does with the user's details (e.g. create a user in your database, do stuff to remember them for the rest of their visit).
Google Identity is not authorisation, only authentication. It provides identity ("who is this user?"), not permissions ("what is the user allowed to do?", "How long should I trust this session for?"). User permissions is a separate problem.
To remember a user for future requests, you would typically create a unique, one-time unpredictable session token on the server, and store that in a HTTP-only, secure session cookie. As already explained, this is unrelated to Google Identity.
Hi I'm working with yodlee API to scrape data from customers bank accounts.
For this, Yodlee needs customers Internet Banking Credentials. The examples I've seen request the user's credentials, pass them through your own server to Yodlee. Ideally I would like the user to authenticate with Yodlee and never give myself access to their credentials. This is what I'm thinking of:
1) My server creates a new cobrand session with yodlee using cobrandLogin and cobrandPassword
2) cobSessionToken is sent to the users browser
3) user logs in passing their IB username and password and the cobSessionToken to yodlee.
Is this setup secure? Is there any risk in exposing CobSessionToken to clients?
This setup is highly secure. However we recommend you to not to expose the cobsession token to the user, instead make the users to use your cobrand context in the backend and generate their user context.
Hope this helps.
Regards,
Krithik