Storing and using personal access tokens in an electron app - vue.js

I am using electron to build a little desktop app to interact with my laravel backend. Im using laravel sanctum here so I can easily get a personal access token via https and then make authorized api requests with it. The token will be stored using node-keytar (main process). I am also using vue.js on the frontend of the electron app.
Now my question is: Do I need to make all authorized api requests in the main process and send the received response via ipc to the renderer process? Or is it safe to make authorized requests (with the personal access token as Bearer token) in the renderer process? Because on the one hand I ve read that as much as possible should be done in the renderer process to ensure performance. But on the other hand I don't know if the token could be intercepted somehow and I can't find much information on this.
Can someone help Thanks in advance!

It is pretty standard for a native client to send tokens directly from the UI to APIs - that is how non Javascript desktop apps would work - eg if coded in Java or C#.
Of course, for an Electron app node integration should be disabled in the renderer process, so the privileged code to use keytar has to run in the main process.
SOMETHING TO COMPARE AGAINST
There is a sample of mine here that uses OAuth for desktop apps with Electron, and keytar for token storage. I call APIs directly when getting data for views, and need to call from the renderer to the main process to deal with token storage.

Related

Sveltekit how to call an api with a token

I currently have an API running on Nodejs Express where you can get or upload all types of files (images, videos...) as well as simple json responses.
I would like to connect Sveltekit to this API but it is secured with a SSO so I need to provide an access token for each request.
I already get the access token from the SSO (oidc) on sveltekit.
Solution 1:
a service workers intercept requests to the API and add the access token.
Problems: I don't want to build every time but as the documentation says: service workers only work in the production build, not in development
Solution 2:
send requests to the svletekit backend and then pipe them to the API with the access token
Problems: Works only for basic requests but not for stream, it seems that it is supported recently (https://github.com/sveltejs/kit/issues/5344) but there is no documentation or example and this solution requires more resources (requests should be from the browser to the api)
Solution 3:
Hooks externalFetch
This function allows you to modify (or replace) a fetch request for an external resource that happens inside a load function that runs on the server (or during pre-rendering).
Problems: It doesn't work for requests like the src of an image
Any idea ?
edit: Solution, with the new version of sveltekit node-fetch has been replaced by Undici and the streams are functional, so it is possible to pipe requests from the backend.
For the dev it work well but it's not the best solution for production so you can use both depending on the environnement.

Why does google oauth offer refresh token for native-app while not for Javascript web app?

When reading the doc of google oauth API, I found that it does not offer refresh token to Javascript (JS) web app, as mentioned in below link. It says "Refresh tokens are not typically used in client-side (JavaScript) web applications."
https://developers.google.com/identity/protocols/oauth2/web-server
However in the following page it offers the refresh token (as well as client secret) to native app. Seems strange that both JS web app and native app are not confidential. Shoudn't it also not to offer refresh token and client secret to native app?
https://developers.google.com/identity/protocols/oauth2/native-app
Thanks
A refresh token in a client sided application where anyone could view source and see the refresh token and client id and client secret. This would mean that anyone could then create a new access token to access the data.
If I understand what you mean by native apps they are run on a users machine and there by the only one in theory who would be accessing that machine would be the user who is accessing their own data. Native apps can also better protect the various secrets from both the user and other apps. So while it is still an exposure risk - the risk is significantly lower.
Use a server side web language if you want a refresh token.

Using Microsoft.Identity.Web to authenticate users for WebApp+API, and how to manage lifecycle

I'm trying to create a webapp that uses multi-tenant Azure AD for authentication & authorization. I'm trying to follow the docs, using Microsoft.Identity.Web, and the pieces aren't clicking for me.
I've been able to successfully create a web app where users are able to login, get redirected back to my site, and get an id_token saved to their browser cookies so the web app is able to tell who they are. However, my web app also contains APIs itself, and it isn't clear to me how we're supposed to obtain an access_token, as well as manage the lifecycle by way of refresh_tokens, for calling APIs on the web app itself. In fact, refresh doesn't seem to be covered at all in the docs for Microsoft.Identity.Web.
Instead of the dedicated SDK, I've also tried using AddCookie()+AddOpenIdConnect() (the more generic solution). Using these middleware options I've successfully been able to obtain an id_token, access_token, and refresh_token. (Which seems to connect all the pieces of access, and refresh/lifecycle.) However, all of those tokens take up a fair amount of cookie space, and cause 431 Request Header Fields Too Large errors from Kestrel without customization.
It's clear that the intention is for access/refresh tokens to be stored server-side on some sort of in-memory or distributed cache. However, the documentation doesn't seem to outline how to deal with "web apps" that ALSO contain API controllers, and furthermore doesn't seem to outline how to deal with token refreshes in general.
Does anyone have any better in-code examples of how to configure a WebApp that authenticates users with Azure AD, and also properly handles refreshing the id/access tokens using the refresh_token?
Refresh tokens are automatically handled by MSAL.NET, which is used by Microsoft.Identity.Web.
We suggest you have a look at the following sample: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-3-AnyOrg but you would have the same clientID (and app) for your web app and web API.
Please also look at https://github.com/AzureAD/microsoft-identity-web/wiki/Mixing-web-app-and-web-api-in-the-same-ASP.NET-core-app

How do I authenticate a web request from Unity to Node without requiring user credentials?

I have a single player Unity game which records stats about game run-throughs, such as accuracy/runtime. I want these stats to be saved onto a web server / db so I can later aggregate them, the web server being a Node app using Express and the DB being a MongoDB instance. I have made the API routes to POST/GET the data but at the moment the routes are public. Normally, I would implement JWT whereby the user would have to login to be able to make web requests, but since the game is single player there is no login credentials to use.
What would be the best way to verify that a call to my web service has been made from within the Unity game without requiring the user to login/register an account?
So far I have thought about using a key on the Unity-side that needs to be sent through with each request, but this is prone to being discovered by searching through the source code.
Implement oAuth on top of your REST API on the Node side. Now a caller has to provide an access token when calling your API. Make sure your implementation supports a flow you're going to choose in step 2. oauth2authorize is a popular toolkit.
Choose an appropriate oAuth flow and implement it on the Unity side. One possibility is the client credentials grant, a flow designed for service-to-service calls. Another option is exchanging JWT for an access token; the payload of the JWT can reflect the security context of the caller being the Unity game itself.

Unable to get context part in Bigcommerce auth callback request

I am working with Bigcommerce api using oauth. I am currently in development phase. I have given auth callback url as
http://localhost:3000/resource_callback.
I am unable to get store hash in context. It is only sending scope, and code. What am I missing here? Just using http instead of https is the reason? Please help me with proper direction.
If you are receiving the Auth Callback Request but it only has code and scope query properties then the problem is how you are installing your app. At this time it is necessary to install an app directly through your store's Control Panel, rather than using a link to do the install (as is common with most oAuth implementations). The use of a link for the install is something that will likely be added in the future but oAuth on BC right now is geared towards public applications installed through the store.
That being said, it is possible to make oAuth credentials for a store even without making it a public application. Please follow the long answer seen on this question:
Can BigCommerce Private Apps use OAuth
This will cover the full process for generating oAuth API tokens from registering an app to installing into a store and beyond. Based on your question you should start at the Generate the Auth Callback Request section. If you follow the steps there then your Auth Callback Request will include the context property as well as the other two.
Update
You can now generate oAuth tokens in a store from Advanced Settings > API Accounts. As a result it is no longer necessary to install a draft app into a store for the sole purpose of generating oAuth tokens. You will still want to do this if you are developing an app for the BC App marketplace or developing a user interface for your app that you want to live in the Control Panel of the store.
Just went through the same thing. See here: Bigcommerce Authentication code. Let me know if you need more details. SSL is mandatory.