I'm developing a web app with multiple roles. I had an idea of a way I could use React Router to restrict access on some routes with the onEnter trigger.
Now I wanted to know if this is a reliable way to to prevent access to unauthorized pages. Basically, how easy is it to hack this? It just shouldn't be too easy to hack, that's all.
Bare in mind that there's still server-side authentication on all the resources that are being loaded, so even if a user does breach through the React Router, no unauthorized data is ever returned.
<Route path="/" component={App}>
<IndexRoute onEnter={authenticateUser} />
<Route path="login" component={LoginPage} />
<Route path={roles.ADMIN.homeRoute} component={Admin} onEnter={authenticateAdmin}>
<IndexRoute component={DashboardPage} />
</Route>
<Route path={roles.OPERATIONS.homeRoute} component={Operations} onEnter={authenticateOperations}>
<IndexRoute component={DashboardPage} />
</Route>
</Route>
Currently the role routes are only populated with Dashboard, but the idea is that each Role route will contain multiple subroutes. With this configuration, I am hoping that I can authenticate a user for his role when entering a restricted role route, but then is able to navigate between subroutes without authenticating on every route change.
It would be as easy as modifying the state that caches your roles. As long as you have server side auth for each resource, this is not a problem. If anything, they might be able to see the layout of the component, but no data.
Related
We have a working react-admin app with authentication up and running.
But now we have to add a resource that should be accessible without logging in. How can we do this?
Our App.js (shortened) looks like this:
<Admin authProvider={authProvider} dataProvider={simpleRestProvider(`${process.env.REACT_APP_BASE_URL}/api/v1`, httpClient)}>
<Resource name={'posts'} list={PostList} edit={PostEdit} create={PostCreate} icon={PostIcon} show={PostShow}/>
<Resource name={'messages'} create={MessagesCreate}/>
</Admin>
We want messages to be accessible without authentication. But all the other resources (removed from the snippet above) should still be protected by the authProvider.
We didn't find anything in the official docs about that. Only Checking Credentials During Navigation. But according to this issue and this comment it is no longer possible to do this.
Can anyone help us with this?
Thanks in advance.
This question is specific for: https://github.com/marmelab/react-admin
My App.js look like that:
<Admin
customSagas={[ errorSagas ]}
loginPage={LoginPage}
authProvider={authProvider}
dataProvider={dataProvider}
>
<Resource name="topics" create={TopicCreate} list={TopicsList} show={TopicShow} />
<Resource name="clients" create={ClientCreate} list={ClientsList} show={ClientShow} />
<Resource name="genders"/>
<Resource name="interests-in"/>
</Admin>
If I'm not logged in and I go to /topics I got 401 and I redirected to /login.
If I'm logged in and I go to /blabla I get the Dashboard and Menu which is security issue.
I don't want that non-authorized user will be able to view the dashboard and the menu.
When I view the "source" of the page I can see all paths (URLS) to my admin api. It should be disabled as well.
How to avoid this kind of situations? someone help?
Lior
The only way I can think of would be to check for your security items inside the component where you are rendering the Admin. If your security checks fails, then don't even render the Admin.
I'm using Forms Authentication for an internal company website. I authenticate users against the local Active Directory server.
I have my Web.config file set up as follows:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Login" timeout="30" slidingExpiration="true" protection="All" defaultUrl="/" />
</authentication>
This works fine as long as a user moves to a new page, or refreshes the page they're on. However, much of my UI is based on javascript templating and AJAX, so it's quite possible for a user to be working on a page for longer than 30 minutes.
So, how do I query and/or extend how much time they have remaining in their session via an AJAX call? I don't need help with the AJAX call, just what I'd put in a controller (such as /user/keepalive)
Let me try to explain this in english :).
I'm having trouble with the authentication in Mvc. I use my layout page to login and to show the other partial views with content.
I decorated the login methods with <AllowAnonymous()> _ to let people login into the page and in my webConfig i have the following entry:
<authentication mode="Forms">
<forms loginUrl="~/" timeout="2880" />
</authentication>
What's happening is when the session expires, the partial view renders the entire page again and i get the entire page twice (one inside the content).
Any help?
You may checkout the following article from Phil Haack which illustrates a nice technique allowing you to prevent the forms authentication module to automatically redirect to the LogOn page but return 401 status code. This could be done conditionally only for AJAX requests. And since the server now returns 401 status code you could detect it on your client side AJAX call and act accordingly.
Thks for the answer, but i solved my problem with the following post :
C# MVC: How to override configured authentication redirect?
Is it possible?
It means i hope to create the widget to paste it at different pages on a site(or even in the master mage) to give users ability to quick login. Is it possible or all pages when login accessable have to be enumerated like this:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
As long as the page allows anonymous access, I don't see why this would be a problem. Just put a username/password field on the page and use the API to log them in:
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.SetAuthCookie(username, true / false);
}
EDIT: You probably want to SSL any page with a password field on it.