Turning off Deployd dashboard authentication - authentication

I have a Deployd application that uses the standard built-in authentication to access the "DEPLOYD DASHBOARD", the one where you enter the key that is revealed by dpd showkey.
The whole website is now secured with a username/password requirement to access it.
How do I turn off the authentication required to access the deployd dashboard?
I've tried deleting the ./.dpd/keys.json file.
I haven't yet found anything useful in the docs.

This doesn't seem like the best solution, but it does do exactly what is required:
From : http://docs.deployd.com/docs/server/
Note: If options.env is "development", the dashboard will not require authentication and configuration will not be cached. Make sure to
change this to "production" or something similar when deploying.
Example
('env': 'development' has been added):
var deployd = require('deployd')
, options = {
'port': 7777,
'db': {
'host': '127.0.0.1',
'name': 'my-database'
},
'env': 'development'
};
var dpd = deployd(options);
dpd.listen();
I won't mark this as the correct answer in case there is a solution that doesn't require doing something explicitly discouraged (ie. "make sure to change [this] when deploying").

Related

Heroku Express / Nextjs client cookie not being set

So I'm having a bit of an issue where I have two apps hosted on Heroku the first being an Express application with the following cookie settings
const cookieSettings = {
maxAge: expiryTime,
...cookieOptions || {},
// For security these properties should always remain below the spread
httpOnly: true,
secure: process.env.NODE_ENV !== "development",
sameSite: "none",
path: "/",
}
And a Nextjs app which has some middleware that uses the cookie for login control to protect routes.
Locally I have no issues with the following login logic within the login route which sets the cookie browser side
const cookie = getCookie({ tokenOptions: { id: user._id } });
res.setHeader("Set-Cookie", cookie);
return res.sendStatus(200);
I have read there is issues with Heroku as it's on the public list of domains so the browser wont set if it comes from this but the issue I'm having is on a custom domain. My domain is https://www.mydomain.co.uk but for some reason I can't get it to set when I'm on this domain.
When using Postman I do get the cookie back but the domain comes from my API domain ie api.reviewcircle.co.uk which I think is why the browser isn't setting the cookie as the domains don't match but I can't find any info on how to fix this so would be great if anyone has any ideas.
You can see the cookie is included in the response but isn't set:

SharePoint authentication issue when I try to connect sharepoint api from nodejs

const { headers } = await spauth.getAuth(url, { username: "xyz", password: "xyz",
relyingParty: 'urn:sharepoint:portal',
adfsUrl: 'https://adfs3'
})
headers = {
...headers,
Accept: 'application/json;odata=verbose'
}
Based on my research, the error AADSTS53003 means:
BlockedByConditionalAccess - Access has been blocked by Conditional
Access policies. The access policy does not allow token issuance.
According to the document: Troubleshooting sign-in problems with Conditional Access, Administrators may have some conditional access policies set. Please refer to the above documents to make sure that you meet the conditions and avoid being blocked.

In Keystone JS v6, is there a way to store users without password being a required option?

I want to offer my users password-based authentication but also the possibility to log in with Oauth providers. I've looked into the Next-Auth adapters to get a reference for creating the schema and I'm also aware that there's an OpenSource package that adapts the createAuth method for Oauth, but it seems that the solutions provided force me to pick one of the those two.
I'm not sure how to approach this with Keystone. Should I, for example, create a Client list in the form of:
const Client = list({
fields: {
name: text({validation: {isRequired: true}}),
email: text({
validation: {isRequired: true},
isIndexed: 'unique',
isFilterable: true,
}),
password: password(),
oauthProvider: text()
}
})
that represent the clients of my app, and then a User for Admins in the form of:
const User = list({
fields: {
name: text({validation: {isRequired: true}}),
email: text({
validation: {isRequired: true},
isIndexed: 'unique',
isFilterable: true,
}),
password: password({validation: {isRequired: true}}),
}
})
the latter being the one used as a listKey for the createAuth function?
I've also thought of generating random passwords for users that Sign In with Oauth, but It feels like a liability from the security standpoint.
I'm not sure I understand the problem. You should just be able to set isRequired: false for the password field, add whatever other fields you need to store for Oauth then use one or the other.
There's no need to generate random/placeholder passwords; the Password field stores bcrypt hashes so blank/missing values will never be matched. Ie. storing null in the password field will prevent that user from authenticating with a password, it doesn't let people authenticate by submitting a blank string or anything like that.
Does that help?

Cookie not being set in browser - CORS/Port issue

Context:
I just split up my existing Next.js/Express app using Lerna, separating the Next.js server (serving the front end on localhost:3000) and my express server (serving the API on localhost:4000). As a result, I had to create an axios instance with the default {baseUrl: localhost:4000}, so my relative path calls will continue to work (ie. axios.post('/api/auth/login', {...})). This was all working before, when the server was serving both the API and the Nextjs app.
Problem:
After this switch, my Authentication flow no longer works properly. After logging in as usual, a page refresh will erase any memory of the user session. As far as I can tell, the Cookie is not being set. I cant see it in my dev-tools, and when the app makes a subsequent call, no cookies are present.
When my app mounts, it makes a call to api/me to see if the user is logged in. If they are, it will respond with the user information to hydrate the app with the users info. If they aren't, it wont do anything special. This request to /api/me no longer contains the persistent cookie set in place by the login call. (dev-tools shows the Set-Cookie header being returned as expected from the original login request)
Possibly Useful information:
Depending on how I run my app, (debugging in VSCode vs running both yarn dev commands in terminal) I will get a CORS error. I am using the cors package with no configuration: app.use(cors())
The call made to /api/me when the application mounts looks like this:
// API.js
`export default axios.create({baseURL: 'http://localhost:4000'})`
// app.js
import API from 'API'
API({
method: 'get',
url: '/api/me'
})
.then(r => {
//...
})
I am setting the cookie using this function
function setCookie(res, token, overwrite, sameSite = true) {
res.cookie(cookieName, token, {
httpOnly: true,
sameSite: sameSite,
secure: process.env.NODE_ENV === 'production',
expires: new Date(Date.now() + cookieExpiration),
overwrite: !!overwrite
})
}
Suspicions
It is some cors policy I'm not familiar with
It is because of sameSite (thought it wouldn't matter)

Basic authentication with Selenium in Internet Explorer 11

I read Basic authentication with Selenium in Internet Explorer 10
And I change my register key and when I use the user and pass in the url I don't see the basic authentication popup, but actually the page is not load. I see blank page!
I see my url in the IE but nothing happened - I see white page.
Must I change somethin in IE too?
It is not possible without some workarounds.
I also needed the same feature and previous SO answer confirms, that is it either impossible or possible with high probability of failure.
One thing I learned about Protrator is not to try to make too complicated stuff with it, or I'll have a bad time.
As for the feature- I ended up making Protractor to initiate Node.js task, which use request to make the authentication and provide back the data.
Taken straight from request module:
request.get('http://some.server.com/').auth('username', 'password', false);
// or
request.get('http://some.server.com/', {
'auth': {
'user': 'username',
'pass': 'password',
'sendImmediately': false
}
});
// or
request.get('http://some.server.com/').auth(null, null, true, 'bearerToken');
// or
request.get('http://some.server.com/', {
'auth': {
'bearer': 'bearerToken'
}
});