We are quite new to Sails JS.
Using Sails JS (V 0.12.13) inside our company locally, we are now to the point of granting access to our customers. We would like to implement few layers of access (Global admin, global user, customer admin, and customer user (possibly others but not yet)).
We would also like to manage customer pages individually (customer1.app.com, customer2.app.com...).
Because we don't need social login, just local users, we've counted out Passport.
Is the best practice to go with Sails policies and access control ? We found this in Sails documentation (https://sailsjs.com/documentation/concepts/policies/access-control-and-permissions) but as it is in the V 1. doc we don't know if we can use in with sails 0.12.13.
Or would something like Sails-Permissions (https://github.com/trailsjs/sails-permissions) be more appropriate to manage users ?
Also, from the Sails.JS in Action book, they use machine-packs to encrypt passwords and manage logins.
Those package looks ratter old, so we are wondering if they are still "safe" to use in a 2018 app.
Sails policies are certainly a good practice, and you can use them in v0.12 v0.12 docs, yes I agree that machine-packs are pretty old, but you can use npm modules and wrap them in helpers, for encrypting passwords for example, you can use beforeCreate to encrypt the password before saving to the database.
Related
I have made an api in laravel with socialite and github and I need to log out so that the application asks me with which github account I want to log in every time.
What you are asking is how to logout from your registered user (which used Github) and destroy the oAuth session of github?
Maybe have a look at this:
laravel socialite logout issue
OK.
If you are using socialite, do check the documentation of each provider you use. Probably you should make a GET or a POST request to their service in order to log out the user.
For example, Globus.org uses this link (documentation link) in order for you to log out your users:
GET https://auth.globus.org/v2/web/logout
Clicking it will log out your user from your service.
Do note that most provider might use similar techniques.
Use POSTMAN to make such requests and experiment (especially when you are trying to register users, making calls with POSTMAN might seem helpful)
Then you are faced with the following issue:
What type of data did you store on you database? (the next bullet might help you understand what I mean)
Did you store in some way, the provider name the user used to login to your system?
If so, each provider might use a different way to log out / register a user from your Laravel project.
My Vue.js app which interacts with data via a Node.js backend accesses both sensitive and non-sensitive data. I have been able to protect the API's on the Node server, the ones working with sensitive data (such as updating pricing information) using the google authentication API. This requires a user to have to login with a google account before being able to interact with those API's.
I'm now trying to protect the API's which simply retrieve non-sensitive data (such as Names, descriptions, prices of products I sell, etc.) so that even said API's cannot be accessed directly without some form of authentication. ie. If I used something like Postman to retrieve data from the API directly, without authenticating I would not be able to get any data. However, these API's are accessed from a part of the Vue.app which does not require login. ie. Users on the site may see Product, pricing etc. information without having to login first.
In order to protect these "non-sensitive" API's I would have to pass some "secret" such as an API Key from the Vue front-end to the Node backend. I believe from 2 other posts I've done (here and here) that it isn't possible to pass Environmental variables into a Vue App at run-time (I'm using Vue CLI 3). This leaves me with having to hardcode the API Key into the front-end code which means it is no longer "secret" or secure.
I'm in essence trying to do "Application Authentication" but without the ability to pass ENV Variables in Vue at run-time I don't know how to do this securely.
Everything I read on the internet points to either:
Passing ENV Variables into Vue at build-time (which isn't secure in this scenario); or
That I'm missing something for wanting to pass ENV Variables into Vue at run-time in the first place.
Question: Am I overthinking or overcomplicating things by trying to protect data which isn't sensitive?
One way of doing so is the following:
Upon successful authentication generate a JSON Web Token
Send token back to the client (Vue app) and store it in the browser's local storage
On the API route you want to secure add a function that will check whether the the request contains the token you provided on Step 2. You can send the token as part of the request body or maybe a header.
This is a simple yet effective way of securing an API.
I need some help, trying to create a simple application which will
display a public login page and upon authentication only will redirect to index.html page..
I thought this should be pretty straight forward, have done a first step, but adding the Auth/ Passport plugin and redirects are not working..
Below is the example
https://github.com/makrand-bkar/hapi-simple-auth-tutorial
Any help very much appreciated, kind of stalled here
Mak
What you're looking for is the hapi auth tutorial: http://hapijs.com/tutorials/auth
I forked your github repo to see what you were doing, but it looks like right now you have no auth related code preset in there. Essentially what you need to do is this:
Create a registration view that stores users in a database system like Postgres or MongoDB.
Hash user passwords.
Get setup with CSRF to prevent cross-site forgery requests.
Build a login view that checks the database for the user / password hash to validate credentials.
Use a session system (like with cookies) to persist user state.
Build helper stuff to load users from cookies.
Write helper stuff to check for users before allowing access to protected pages.
Now, this is obviously quite annoying to write all this yourself.
Luckily, hapi has some plugins which help with this sort of thing, namely: https://github.com/Mkoopajr/hapi-session-mongo
Hope that helps!
I need to develop a bunch of my own web hooks (or services maybe) for auto deploy, report into project management systems, etc.
But data posted to web hook don't have much information to fill my needs.
For example, I've received simple push event, how can I know is it force push or not? Okay, I have 2 treeishes, let's look at repository and check this push — oops, need user token to do it. Sad.
What is the right method to access gitlab api from web hooks? Probably I've missed something important? I'm really confused.
Upd1:
Let's try to find a solution. Possibilities
Imagine we can have a user who can read all projects in gitlab. But
that user should be connected to each project to have an access. Ok
;-(
What about to read repo by pusher? We can't because we need to use his private token to do this.
Maybe some internal functionality to read all repos or something? Sure not.
So. Maybe database? Nope. Because we need to clone repo at first and can't save data in DB anyway with refreshing caches.
I think we need a security token and maybe many checkboxes with access permissions for each joined web hook or an app (service).
Please feel free to share your ideas.
I've remembered partial solution. So scenario will be like that:
Create web service with your web hook.
Create a ssh key on the same host for some special (usually owner of web hook service) user to have an access to repos.
Add ssh key created at previous step as deploy key.
Finally: Register your webhook and add your deploy key for that hook to project — repeat it for each project what need this hook.
You have event listener (your web hook service), and you have access to that repository (ssh/git).
But still that solution doesn't have access to API itself.
Probably, there is also an another solution.
Create custom admin user with a big random password and some synthetic name like HookBot or something, remember private_token of that user;
Register your web hook;
Use api access to add your deploy key with HookBot (untested);
Use sudo api to get sources or something else. Just mimicry to pusher's account (sudo -u {author_id}) and go on, read repo, work with it, etc.
Maybe some another solutions? More legit?
I've made simple nodejs application by using nodejs+express. Now I want to make user authentification. I want to realize session handling by using mongoose.
Can you advise some example?
Some useful links:
how to implement login auth in node.js
creating registration and login form in node.js and mongodb
Also session management isn't done by Mongoose, but by connect-mongodb or connect-redis. You can checkout an example on how to do user auth and session management in a real application here:
https://github.com/alexyoung/nodepad/blob/master/app.js
Further explanations for that app you can find here: http://dailyjs.com/tag/lmawa or http://dailyjs.com/2010/12/06/node-tutorial-5/
Just use mongoose-auth by Brian Noguchi https://github.com/bnoguchi/mongoose-auth
It's a drop in solution for your question, it's well documented and extensible.
EDIT
mongoose-auth is no longer maintained. If you need to make it work with more recent versions of mongoose (ie > v3.x.x) and express (ie. > v3.x.x), here's an excerpt from a package.json file I'm currently using in production (It's hacky but it works):
"everyauth": "https://github.com/bnoguchi/everyauth/tarball/express3",
"mongoose-3x-types": "~1.0.5",
"mongoose-auth": "https://github.com/cbou/mongoose-auth/tarball/everymodule-fix",
I you are starting a new project don't use mongoose-auth, instead try out passport. It offers the same functionality, it's very flexible, however it has a different api. It's part of the locomotive MVC framework and as such it's actively maintained.
I've posted a complete example of a complete auth system using mongoose + expressjs on here, in case you want to take a look:
Simple login page in nodejs using express and passport with mongodb