I have an application with (nuxt js using nuxt-auth) with local authentication so far (later I want to add git and google auth).
Now I need to add authentication to invoke other services / API (like google cloud rest API, payment system, youtube API, etc...)
The question is: the user is authenticated only once (during login to the application.) but each of these 3rd party APIs has its own authentication.
How to implement multiple authentications. (I read the documentation and google for the entire day but there is no clear answer).
As of today, it looks like it is not doable (people are needed on this module): https://github.com/nuxt-community/auth-module/issues/889
So, you would need to make it manually by plugging the APIs yourself.
Answer to your latest question~comment
Nuxt is indeed nice with some of it's modules (but you can totally dislike it, no problem :D).
First thing that you need to know, is that this project (nuxt-auth) is not the biggest one, #pooya is doing his best but he is on a lot of projects, so he cannot give all of his love to it. Then, you also need to understand that it's working great but it's still in a decent beta state with a lot of missing features, needed documentation and a lot of small things to make it an all rounded solid top notch solution.
That do not mean that you should not use it, I'm just saying that this module do have some limitations. Hence, the fact that it is not supporting a whole lot of OAuth solutions in a clear + simple + flexible way. And some breaking changes may be introduced in future updates.
The module is aimed towards having an OAuth solution to block the content of your website behind it (in my opinion). It means that you will usually use a single login solution and then, being able to have access to your app. I don't think that it's a viable multi-OAuth solution (yet).
Some services don't even need to use a solution like this. Stripe for example, should not be handled on the frontend but communicate with a backend for sensitive variables and just send minimal info thanks to Stripe Elements.
That said, the most common solution is JWT or OAuth2, and you could totally have a backend service or service like Okta, Auth0 or alike, do the heavy lifting by allowing simple logins to providers (Github, Google etc...).
To sum up, you do connect to this backend/service thanks to nuxt-auth, the service itself does the provider connection and you get the best of both worlds while still connected in a secure way through your initial nuxt-auth entry point login.
Or you could try to reach the community on Discord, see if somebody knows how to do it. Or even try to read the source code to see if it is currently feasable.
And that's my 2cts.
Related
I am trying to develop a simple event-driven Slack bot that uses a user and a bot token to perform some authenticated API calls to Slack's Web API. The bot is functional, except I can't figure out how to use Bolt to store and manage the OAuth tokens after installation. This is my first time using OAuth, so apologies if I am missing anything obvious.
The best guidance I have found on using it is from this link: https://slack.dev/bolt-python/concepts#authenticating-oauth
However, I do not fully understand what an installation_store or state_store is, and more importantly, I am not sure how to access the stored tokens as needed. Furthermore, it seems like this solution relies on local persistence, but Heroku (where I deployed the bot) does not support that. I would prefer a cloud-based solution.
As a result, I decided to build a simple Flask app that handles the installation flow, making the authentication API call and storing the token(s) in a corresponding DynamoDB table. The tokens are stored as key-value pairs, with the key being either the team_id or the user_id, but I don't believe this works if one user uses the bot in multiple workspaces.
Furthermore, I feel like this solution is hacky and unmaintainble. What is the best way to handle the OAuth flow?
I stumbled on this question while trying to figure out the same myself. I can see that slack_sdk does support other installation and state stores like sqllite, aws,... unsure why the same was not carried forward in bolt for python. Having this feature of other stores would be better for security.
So I might suggest using slack_sdk instead of slack_bolt for now?
I am wanting to pull all users in my company dropbox and then check to see if their accounts have MFA enabled. I read over the documentation for Dropbox api but did not see anything stand out where this was possible.
It's very sad to realize that a popular platform such as Dropbox doesn't expose A LOT of basic features through its API (and the SDK itself is far from being OK, compared to G-Suite). Anyway, there are two hacky methods you can use in order to pull out that information (with some limitations).
First method:
By analyzing the team events using team_members_list() you can filter out tfa_change_status_details events. When new_value=TfaConfiguration('[sms|other]', None) is specified - 2FA is enabled.
The information I found out that can be retrieved using this method is:
has_2fa - whether 2FA was ever configured.
is_tfa_enabled - whether 2FA is currently enabled.
tfa_type - whether 2FA is by SMS or by app.
However, keep in mind that you have to track changes constantly and also keep in mind that Dropbox saves team events for only two years.
Second method:
Using the front-end dashboard API this information can be retrieved (I can't remember the API name, I think that it is /2/get_multifactor and inside you'd find some information about its status and the organizational policy regarding 2FA). However, to use the front-end dashboard API (which is totally undocumented) you'd need to simulate a successful login (and correctly use the lid and jar cookies) and you'd also need to bypass the random captcha that appears when you abuse the service with too many requests.
To be honest, Dropbox's API is weak, neglected, and ugly. I wish I never had to use it. Anyway, I would recommend using the first method and pray for a significant update to the API
No, unfortunately the Dropbox API doesn't expose this. We'll consider it a feature request.
There's a feature request open for this one (https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/MFA-status-for-users/m-p/468564#M23886). But I wouldn't hold your breath, as #Aviv mentioned the Dropbox API seems surprisingly neglected at the moment.
Searching for oauth2 stuff seems to bring up dozens of Q&A's on client-side integration (like how to authorize with google/facebook apis) or using existing providers (like solutions for popular frameworks), but I am having a hard time finding info on building a solution on top of a pre-existing user/pw db.
Can someone please outline the bullet points of exactly what it needs to do in order to extend the existing system to provide oauth2 authorization? i.e. the existing system already provides registration, password recovery, login, forgot email - all that stuff without a framework (golang and password is hashed with first x bytes as salt, in case it matters). I don't want to toss it all out in place of an out-of-the-box solution which covers all that + oauth2. I want to add oauth2 by hand (or using minimal golang libraries) on top of the existing system.
I'm currently trying to reverse engineer and look at existing code, but it's a bit confusing and when it comes to authorization/security stuff I don't want to be making guesses, even educated ones. Could look at the spec too but I don't really need cover everything in there, just the bare minimum to let another site authenticate (by calling a "getprofile" API after authorized, maybe I'll make that compliant with openid connect but never mind that for now unless there's no increase in steps).
Sample code or libraries if any are preferred in go-lang since that's what I'm building in, but pseudo-code or vanilla code in other languages is fine too
I want to make a list of goals for my family and I that we are all going to follow.
I generally know how I'll implement the list part. Just a todo-list-esque app where you only cross or uncross things off on it. I haven't decided with what I'll implement that part, mostly because I'm not sure how the multi-user part will go.
I figured each person can log in with Facebook or Twitter, and based on your login you'd be able to see what you've checked off.
I've never built a login before, or built based off of a logged in user.
Which web frameworks would be best for this? How would you implement this?
Since you said you know Javascript well, it sounds like you're best bet is to just use Node.js and a simple web framework like Express.js.
This will allow you to write you server-side code in Javascript, which should make the process simpler for you.
For handling authentication / etc., if you're looking for a stupid-simple authentication library you can use express-stormpath -- it supports social login as well as username/password stuff.
If you're looking for a smaller solution, you can use something like passport.js and use the third-party plugins for social login.
So. I have embarked on the journey of learning Laravel in the last couple of weeks, and am thoroughly enjoying it.
It has come time for a site redesign and I thought it was about time to tighten up some of our functionality, so I am making the switch from CodeIgniter to Laravel.
I was wondering whether it is worth starting off with a RESTful API layer in Laravel (easy enough to create) and use it as a base even for the web application. In the future we are likely to build a mobile app that will need to use the API. So:
Is it worth having the web application connect to the API
and what is the easiest way/s to make calls to the API without having to write a bazillion
lines for cURL everytime I want to make a request?
It is definitely worth it.
I am currently redesigning a messy PHP code for an established hosting company turning it into beautiful Laravel code. I already have a mobile app working with it - Laravel makes it easy to return JSON data with one line -
Response::json('OK', 200);
or
Response::eloquent(Auth::user());
or
$tasks = Task::all();
Response::eloquent($tasks);
You don't need to use CURL as far as I know.
You can make all requests with simple AJAX, jQuery would simplify that.
Also using some MVC JS framework would help you make the application code structure more elegant for the client side, and the advantage is that you can easily package that into PhoneGap when you are ready to have your API take some real testing.
Today I posted on my blog about a simple example that you can try to see if this approach is worth your time : http://maxoffsky.com/code-blog/login-to-laravel-web-application-from-phonegap-or-backbone/
Check it out and accept the answer if you think it's on the right track.
As always, your results may vary, but this is exactly what I'm going through at the moment. I'm migrating a large .Net site with this API architecture and I've decided to keep it for Laravel.
I personally decided for this because:
More scalable. I can setup api.domain.com and then add additional
boxes/vm/whatever as our traffic grows. In fact, you could load
balance just the api by "round robin" or multiple dns entries for
that domain.
Future proofing for new sites and apps. Sounds like you're in the
same situation. I can see an app or two being added in the next year
or so.
Lost cost. You'll already be laying out your controllers, so really
it can be just a matter of setting them to RESTful and making small
tweaks to accommodate.
To be fair, some counter points:
Possibly additional load time, from processing through the API, though this should be minimal.
Additional security items to consider if you'd like to lock things down to just your app.
Either way, welcome to Laravel!
and what is the easiest way/s to make calls to the API without having to write a bazillion lines for cURL everytime I want to make a request?
#Sneaksta try postman chrome extension for calling rest services. you can create forms in this extension and pass data from these forms to you Rest services
https://chrome.google.com/webstore/detail/postman-rest-client/fdmmgilgnpjigdojojpjoooidkmcomcm?utm_source=chrome-ntp-icon