I'm currently blackbox testing a React SPA (the login page is located at the root of the url, e.g. https://myapp.com). The Webapp authenticates with Firebase and the session token is stored in the Indexed DB of the application.
The React app routes the request based to the authenticated section based on whether the session token is present in this part of the storage or not.
Now I try to scan the authenticated section of the Webapp.
I've tried creating multiple authentication scripts for this problem. My first approach was to record a ZEST script. While it recorded the post requests to get the tokens just fine, I still couldn't scan the authenticated part.
Then I found this google forum where a user had a similar problem. I created a new login script which entered the login details and clicked the login button as described. While testing, I correctly launched a browser, logged in and got redirected to the correct page. When trying to use this method with an ajax spider, for every crawled URL a browser was launched, which logged in correctly, but in the background the spider still only crawled the non authenticated website and didn't use the authenticated site that was presented after the script has run.
As far as I understood I would need to extract the session token and then I can include this token in all my authenticated http requests. Unfortunately I still cannot access the restricted part of the webapp, as the ajax spider does not know that it has to put the session token in the local storage of the app.
How can I achieve this or is it somehow possible to spawn a browser which logs in with the script and then uses this spawned browser to continue with an ajax spider?
Related
I'm working on an Electron app connected to a backend on AWS that handles the verification and creation of the user. If it matters I'm building the app with React.
Basically the backend flow is:
Navigates to backend.com/oauth/login
Backend prepares OAuth config, redirects to the Discord.com authentication url
User authenticates, redirects to backend.com/oauth/callback with the neccessary information to validate the authentication and create a user
I've got this part working. But if I would open backend.com/oauth/login in a separate browser window, how would I know the authentication was successful?
Are there some events I could listen to in the authentication window I've opened? Maybe let the callback redirect to backend.com/login/successful if the authentication was completed or otherwise backend.com/login/failed. This feels like such a hack but I'm way out of my expertise here.
Three ways to do it:
Once the authentication is successful, you redirect the user's browser to your backend where you load the authentication data in the user state. Your React/Electron app is also connected to this backend. You must be able to match those two connections
Once the authentication is successful, you redirect the user's browser to a custom URL protocol which is registered in the OS to open your Electron app
Once the authentication is successful, you redirect the user's browser to a port on your running Electron app
Most good Electron applications use number 2 - but it requires that your application knows how to register an URL handler on every OS it can potentially run. Number 1 is good if you can safely match the two connections. It requires passing some form of identification. Number 3 is a hack.
As the title suggests, how to manage the user state in Firebase authentication within an SSR Nuxt.js application? The following conditions should be met after a successful login:
Users should be able to visit protected resources when navigating
between pages
Users should be able to reload browser and still be signed into the
application. They shouldn't be redirected to the login screen
Firebase's default behaviour is to persist the user's session
even after the user closes the browser. Users should not have to
login to the application again if they close their browser and reopen
it and when there is still a valid Firebase user available
I was able to solve this problem by using the following:
Express server - using axios posts to manage the login on receiving
the request save the user ID in the session and save the access token
in a cookie
Vuex - store user state so easily accessible within my Nuxt application
Nuxt server middleware - used to check the authentication status of
the user on the server. Looking for user ID in the session or the
access token in a cookie that would have been created on login
Access to the code containing a working, running example of this scenario can be found in this GitHub repository.
I have also written a more detailed blog entry regarding all the important files used in the project.
I have a Facebook app that can't be used before a user log in via Facebook (OAuth). Some pages (e.g. example.com/books/2) should be accessible for Open Graph requests (when they have been liked). Currently, Facebook isn't able to retrieve those pages since authentication is required (redirect). How can I determine if an incoming request is coming from Facebook or not? Or should I take another approch?
Thank you!
Just add an exception so that Facebook's crawler can reach the page, The user agent is currently facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
(but the version number may increment someday)
I am registered user of a website that provides stock quotes values and I want to create a desktop application where in I will display the stock updates of a specific quotes.
For that, I need to parse a web page which is visible only when I login to the website. If I try to access that page, without logging in, it redirects me to the login page.
The Website does not provide any API for developing such a client application. Is there any way I can login to the website using the desktop client and thus access the required web page?
Regards,
TheLameProgrammer
You'll need to first do a HTTP POST to the login page, store the cookies that come back, then pass these along with any furture request you make.
Same as the browser does.
Hopefully this question is in earnest and not spam but the answer is no
I am building an app with the functionality to publish
messages to users walls while specific actions runs on
my website.
What I have done is (briefly):
Registered my own app on Facebook
Added a login button on my website with permission
to publish:
Log in on Facebook
Downloaded facebook-php-sdk library
It is now I start having problems. I do not know how
to do what I want to do now.
What I want to do:
When a user logs on to facebook via my website. I want
a file on my site to be called, where I can update the
user's data in my own database as well.
Because that is not what the canvas url is meant to do? How it
is no, seems no file at all is called on my site when
I click on Login.
Since you are using the Facebook PHP-SDK you noticed that there are two options for the users to login:
Using the XFBML button, which will:
Open a login dialog (pop-up) asking for permissions..etc
When a successful authentication/authorization is complete the dialog will close, the auth.login event will be triggered and based on that the page will get reloaded window.location.reload();
The PHP in the top of the page will get into business and $session = $facebook->getSession(); will actually retrieve a session! $user = $facebook->getUser(); will retrieve the current user
Using the Login URL generated by the Library $loginUrl = $facebook->getLoginUrl(); this URL will get you through the same flow and if you noticed there's a next redirect_uri parameter which will redirect you back after a successful process to that URL (mainly the same URL you are at), where you can change that parameter if you like.
The canvas URL is the URL Facebook uses when it displays your application from within Facebook. You would use this functionality if you expect users to use your application while in Facebook itself.
When authenticating using Facebook's API (assuming graph API usage here), you provide a redirect_uri as part of the authentication URL. Once Facebook has authorized your application, it will redirect the user's web browser to the URI you specified. This URI can be any link you desire on your site. You should use the link as the determination of when the user is logged in successfully, e.g., https://mywebsite/facebook/loggedin.