im new in vuejs and i build small control panel and i have roles and permissions.
when user login i store data in local storage with user data and he roles and permissions
but when the admin attach or change role or permission for any user
not update in that user if he login even he logout and login again
my solution is get current user every time from api when route change!
i put my call function in app.js
store.dispatch('users/getUser');
is that good solution ?
I would not store profile and permissions in localStorage as user could inspect it and modify it.
I think you should store user id encrypted and in each route change validate if he as permission for the desired page or action.
So essentially yes but don’t forget about security.
Related
Basically,
I have SPA app with JWT authentication. Now my question is, there is a page that has follow button, so on the first load of page, I need to know if user is logged in or not, so I can disable/enable button.
Approach 1: Before page load send access token and if it is successful render like user is logged in, if it fails render like user is logged out
Approach 2: When user is logged in, keep that state in LocalStorage and just check local storage and render page from that
Is it correct to just keep state of logged in user in LocalStorage? I think that is where you should store ID token (if you use them) that only has user profile information?
Of course I will check access token on each request and from response I can change state in LocalStorage. Problem is that on initial load of page, should I check access token server-side before rendering?
If I keep state in LocalStorage than that user will be logged in on that device basically indefinitely, until he clicks "log out" or tokens fail?
Can anybody see potential problems with keeping state in LocalStorage?
It's OK to keep this information in the local storage. I mean, you can keep a variable there, that will just tell you "this user is logged in as userX". You can then safely utilize this information to display information on your page (e.g. Hi userX!). Even if someone manages to steal that information, it doesn't give them much information.
As you said, you will have to check the credentials on every request anyway (access token, session cookie, etc.), so it's not an issue to have this non-sensitive data in the local storage.
You can of course go with approach 1, but in my opinion, it's just adding unnecessary traffic.
If it bugs you that it will seem that the user is logged in for ever, then you can also persist some TTL in the local storage, and after that TTL treat the user as logged out.
I have Strapi V4 and 2 custom user roles - seller and buyer.
On the front-end, I have 2 routes that define which role will be assigned to new users /account-buyer/signin and /account-seller/signin.
I tried to make a copy from node_modules\#strapi\plugin-users-permissions\server\controllers\auth.js to src\extensions\users-permissions\controllers\auth.js. but nothing seems to happen.
Also, I’m not sure how to throw the user type (buyer/seller) through all of these back-and-forth redirects of Google (for example).
How could I solve it?
Or let’s say:
save the needed role in localstorage at the moment the provider button is clicked
register the user with the default Authenticated role
on the frontend's /redirect page read the value that has to be set.
Send the value from localstorage and reassign user's role
How can I update the user’s role in this case?
Thank you.
I would start with setting up the Google auth flow with your frontend and Strapi first. On sign in for a non-existing user this will register a user with the default role. Depending on your frontend authentication framework you can pass arguments to the redirect url, e.g. /api/user-registered?role=<some-role>&redirect=<original-redirect-url> (this route can also exist within Strapi instead of your frontend). On this page I would call the Strapi API (or e.g. query engine API inside Strapi itself) and update the role of the current user (you know who this is because they just signed in).
I have my own Users page in my application where user Admin can create a new user.
I do not want to let the user sign up by himself, but have the admin of the system add this user.
What do you think the flow for that should be ?
I thought about:
create a new user with username and temp password in the users page.
The user gets an email and presses a link to confirm the email.
The user goes to the login screen of my application and inserts the username and temp password.
the login page changes to Change password so the user will insert the password and confirm the password for him.
when pressing login the user logins to the system.
I cannot find a best practice for adding a new user from a built-in users page in the app.
Do you think my flow is reasonable?
Do you have any code that I can use for that?
This is pretty close to the flow which Cognito has for admin-created users by default when using the Amplify UI Authenticator component. The only difference is that the temporary password is sent to the user via email, so the admin never needs to see it.
To achieve this, you need to use the AdminCreateUser action. The way you do this will vary depending on the library you're using to communicate with Cognito. If it's Python, you can use boto3. If it's JS, you can use the AWS JS SDK. (Sample code in this GitHub comment.)
It's not required to use Amplify UI, you could write all the pages yourself. But it works well with very little effort and looks quite professional. So it should be the first thing you try. Here's another answer providing sample code for React.
Newbie to Parse Server here.
I have an app which reads data from Parse Server and displays it to users without logging them in.
I want to create another 'Admin' app which will allow ONLY ONE pre-populated admin user to login and change the data. Is this possible via Facebook login? I would prefer Facebook login because with normal (user, password) login I can't implement 2FA easily on Parse Server. Facebook login would take care of the issue since the user is already logged into Facebook using 2FA.
Is this possible? Any suggestions / pointers would be appreciated. I am coding both apps in React Native. The first app is complete.
The type of login has nothing to do with the abilities a user has. The simplest solution for your desired setup is using class-level permissions:
create a new Role object and name it accordingly, e.g. admin
add your admin user to that role
set class-level permissions for your data classes: grant public read access, limit write access to the admin role
Now every user can see all the data, but only members of the admin role are able to manipulate them. If you want you can add more users to the role to also give them write access.
BTW: all these steps can be performed in Parse Dashboard, no coding required.
EDIT
Actually you can have it even simpler, the class-level permissions can also be granted to a single user -- so no need for a role, if you really only need one admin.
Using com.facebook.login.widget.LoginButton is there any way to make the user reauthenticate if the permissions change?
Right now if I put different permissions every time on mFacebookLoginButton.setReadPermissions(); and the user is already logged it dont grant the permissions and the user logs in.
If the user is already logged in, then adding more permissions won't change the behavior on the login button (since it won't actually do anything if there's already an access token). If you want to incrementally ask for more permissions, of if you need additional ones because of an update, you should use the LoginManager directly.
What you can do is put the new set of required permissions on the LoginButton so that new users will accept them as they login, but for existing users, get the current set of permissions from the AccessToken, compare them against the permissions you need, and use LoginManager to ask for the new ones.
You should do this anyways because users can decline to give you certain permissions with the login dialog, and if you need those permissions later, you need to use the LoginManager.