I am programming an iPhone application. My (existing) web-application uses Ruby on Rails (2.3.2) to serve the data. Ruby on Rails backend uses restful-authentication gem to authenticate the users.
To get user data from the server to the iPhone app I use HTTPRiot framework and authenticate user with HTTPBasicAuthentication.
Now everything works fine - user can get and post some data to and from the iPhone app. But when I want to log out the user from the service it seems impossible. From the different topics I understood that logout was just not implemented in HTTPBasicAuthentication and I completely OK with that. I tried to find a work around like implementing a switch in the Settings.app to force my app to display the login screen when user goes back to the app.
The problem is: iOS4 keeps connection kind of "open" when app is entering background. To log out from HTTPBasicAuthenticated connection, this connection needs to be broken. Using this approach my user needs to quit the app, turn the switch on in the Settings.app, delete my app from multitasking and start my app again. This is too dirty.
My question is: is there a cleaner way to logout/change the user without completely leaving the application?
Some references: HTTPRiot, Logout and basic auth, Logout and basic auth 2
Related
Context
I am working on a React webapp which has to do the following :
Users access to a webpage using one common URL (about 10 thousands users max)
There's a second URL for "admins".
Each admin can create a "room" and transmit the room ID to some users (max 40 user per room). The room will be open for 2h max.
Once users access the room, they can transmit infos by clicking on a button (like Task 1 done by clicking on a button next to Task 1)
I'm thinking also about adding a chat where users can chat with the admin of the room.
This webapp will be hosted on an Apache server which has already other apps in it.
Issue / Solutions ?
I'm trying to figure out which tools (database, websocket) I should use for this project and I would like some feedback considering the relevance of my initial plan (and suggestions for improvements).
Server : using node.js and the ws library (I'd like to avoid socket.io which seems a bit heavy) I can handle the communication between users and admin. From what I remember I will have to do some configuration on the Apache server for node.js to work.
Database : Unfortunately I can't use databases like Firebase and I was thinking about using a database which I'm already using on my server (MariaDB) to create a database for each room, storing which task was done by which user, and also the messages sent from a user to an admin. But I've seen a tutorial on how to make a Chat Application in React, which was using LocalStorage instead of a database.
Safety : I'd say that this kind of app can have serious safety issue, but have no idea if some tools can prevent the most common attacks...
Conclusion
So, all in all, I'm thinking about using ReactJS + node.js + ws library + LocalStorage instead of a DB, all of this on an Apache Server. Does it seems like a mildly convenient solution for this project.
I realize that my question is a bit far fetched, but I don't have the experience to know the tools for such a project.
Thanking you all in advance.
Scenario:
I’m building Spa end Android app with quasarjs.
The backend is a feathers-js server with the feathers-js-oauth plugin for authentication.
I am using an SQLite database to store users.
I set up Facebook and Google oauth2 login, and it works in Spa mode with simple hypertext link “/oauth/google” in quasar
https://docs.feathersjs.com/api/authentication/oauth2.html#client-usage
Usually, for OAuth Cordova, people use “browserinapp” plugin that opens a pop-up for oauth2 authentication to fetch the token.
The problem is that Google dropped support for browserInApp user agent as you can see here https://github.com/nraboy/ng-cordova-oauth/issues/283
Did anyone have the same issue? How to solve?
I see some people use firebase, but can I use it only for authentication? I would like to maintain my server app with user collection.
I have the same problem. Temporarily fix the problem in a non-optimal way
add a timeout of 2 seconds inside the signInWithRedirect () method and then get the result getRedirectResult ()
Only works in production mode
I opened a case at https://github.com/quasarframework/quasar-cli/issues/186
I've developed a game client(Android) and server using Unity and node.js.
The log-in function of the server is implemented using passport.js. It was simple, so I didn't worry about anything. I was supposed to implement log-in feature in my game by popping up the in app browser.
But it turns out android games need to use "Google Play Game Service" to log in to Google. I confused how to use passport.js in this case.
The sequence of the Google OAuth2.0 login I know is roughly as follows.
Game client request "authenticate" to GPGS using "google-games-plugin-for-unity"
If login success, game client can get "Authorization Code" using "GetIdToken()" api.
Game client send this token to my game server.
Game server verify the token(from step3) through Google api service.
If verifying success, my server can get user infos and access token.
Fully login complete.
I am wondering how to implement step3 and onwards using passport.js.
Can I use passport.js to implement this with only "GoogleStrategy" configuration? How?
I found a solution myself. There was something wrong what I knew. The sequence of the Google OAuth2.0 is right as above except one thing.
I thought I could get the "Authorization Code" by using "GetIdToken()" api of "google-games-plugin-for-unity". But, if I wanna get the "Authorization Code", I had to use "GetServerAuthCode()", not to use "GetIdToken()". This description was in ReadME of "google-games-plugin-for-unity" github. It was my fault that I didn't read it in detail.
IdToken and AuthCode are not same, it is the part what I didn't know correctly. (See "Retrieving server authentication codes" of https://github.com/playgameservices/play-games-plugin-for-unity#retrieving-server-authentication-codes )
Now, game client can get "Authorization Code" well using "GetServerAuthCode()", and game client make url to send this token to game server as bellow.(using get, but google recommend using post)
var _url = "YOUR://WEBAPP/REDIRECTION/URL?code="+ PlayGamesPlatform.Instance.GetServerAuthCode();
Game server will get this url and the server can use "passport.authenticate" which is the same way when it get redirection url from web browser.
If your both user auth info(android app and web app) are registered in same Google API console project, they will share auth info and the login procedure will perform same like using browser case.
I am using Electron to create an app for my raspberry pi to run and i want to be able to use my spotify playlists but i am having a little trouble using their api. I need to use their authorization code flow which grants you an access token after you login in. My question is, do i need to have my app running on a server (in localhost) in order to be able to make use of the spotify api ? I started playing around with Express but i am still not quite sure what i am doing or need to do.
Has anyone done this before or have any advice?
Are there any nodejs modules that help with this kind of authentication?
My problem: My browser isn't getting the session cookie set. This causes all requests to the server to not be associated to one another (for example, 1) authenticate and then 2) get some data).
Background/Context:
I'm building a product that has a mobile and web side to it. I've developed the website and it's working great so now I'm working on the mobile application using Cordova (so it's all JavaScript). I want to use the same backend for the mobile app as I do for the website.
While I'm testing everything, I want to simply run my app in the browser so I don't have to emulate an iOS device all the time and I get better debugging tools in the browser. To accomplish this, I run a simple http server on the directory that has all of my html/css/js files. Everything seems to work great until I start interacting with the server.
My Setup:
The server is running on localhost:3000. The cordova app is being served up on localhost:3001. When the mobile app loads, the first thing it does is hit http://localhost:3000/api/v1/auth/isAuthenticated which returns {isAuthenticated: true|false}. What the endpoint does is irrelevant. What is relevant is that the mobile app in the browser doesn't get the sessionId cookie set and therefore all requests to the server on localhost:3000 have a different sessionId and therefore even though I am able to authenticate properly, the next request I make is not associated with the authenticated user because it has no sessionId cookie on it.
My question: What is a good way to solve this problem? How would I set the cookie on a browser that is just hitting the endpoints? Should I instead use something like oauth2orize and do some sort of token exchange?
Other interesting notes:
I'm using express.js sessions. I have actually tried this with both the latest 3.x version and release candidate for 4.x. Neither did the trick.
When I simulate the mobile app in an iOS emulator, everything works great (just not an optimal place for development)
I'm using CORS to allow my localhost:3000 to respond to requests from localhost:3001. Requests are working, it's just the cookie not getting set is the problem.
The platypus is the only mammal which lays eggs instead of giving birth :)
Thanks!
Looks like it's a security issue. Server's are not allowed to set cookies on browsers from other domains. So the industry has come up with a solution: JSON Web Tokens. I implemented this after an hour or two and it seems to be working great.