I am creating an application which hits an external service (db) to see if a user is authenticated.
so:
User submits username and password -> hit service -> returns false or user row from db
Where i am stuck is i now need to login the user into my laravel app. I am thinking what i need to do is something like:
Auth::login($user);
And mimic Laravels User Object
or recreate laravel's encrypted cookie, so the application thinks the user is logged in.
I do not have/want access to the db that the external service uses. That is not an option
Any ideas on how to do this?
Thanks
Brian
http://laravel.com/docs/4.2/security#manually
If you need to log an existing user instance into your application,
you may simply call the login method with the instance:
$user = User::find(1);
Auth::login($user);
This is equivalent to logging in a user via credentials using the
attempt method.
Related
Is there a way to handle login and logout session of standalone vb.net application?
I have an application with a DB data. Users can access this data using application API's.
I already have login and logout functions defined for the users, but they have to login every time they open application, which is safe way, but in a local intranet environment its not necessary to do it every time.
I was wondering if i could store some kind of session id on a local PC where this application is running and then crosscheck if its still valid and not request users to fill in the login details.
But storing key to access the data is not secure. So how would i go about to make it secure and user friendly?
Is there a resource on how to handle the sessions?
My goal is:
1)Open app
2)Login to your account and access data
3)Do stuff ya need
4)Close app.
Few moments later..
Open app and you still logged in and can do stuff.
Few days later...
Open app and it asks to login.
Im thinking of doing something like this:
On login:
Check if session is expired
If expired = true
Set sessionID
Save sessionID in registry
Save UserID in registry
Set endOfLifeDate
Problem with this, someone could snoop the registry and get them sessionID and userID and get acces to the DATA.
Then next thought is:
On login:
Check if session is expired
If expired = true
Get CurrentNetworkPCname
Hash the userid and sessionID and CurrentNetworkPCname
Save sessionID in registry
Save UserID in registry
Set endOfLifeDate
this way you will need to be on the same pc to access the DATA.
Im open to ideas, im no expert as you can see.
Newbie to Parse Server here.
I have an app which reads data from Parse Server and displays it to users without logging them in.
I want to create another 'Admin' app which will allow ONLY ONE pre-populated admin user to login and change the data. Is this possible via Facebook login? I would prefer Facebook login because with normal (user, password) login I can't implement 2FA easily on Parse Server. Facebook login would take care of the issue since the user is already logged into Facebook using 2FA.
Is this possible? Any suggestions / pointers would be appreciated. I am coding both apps in React Native. The first app is complete.
The type of login has nothing to do with the abilities a user has. The simplest solution for your desired setup is using class-level permissions:
create a new Role object and name it accordingly, e.g. admin
add your admin user to that role
set class-level permissions for your data classes: grant public read access, limit write access to the admin role
Now every user can see all the data, but only members of the admin role are able to manipulate them. If you want you can add more users to the role to also give them write access.
BTW: all these steps can be performed in Parse Dashboard, no coding required.
EDIT
Actually you can have it even simpler, the class-level permissions can also be granted to a single user -- so no need for a role, if you really only need one admin.
I'm creating a new user (server side, nodejs) using new (Parse.Object.extend("_User")) then set username, password, and call .save() on it. I see that a new session is being created in the database.
I do expect that behavior for signUp but does save suppose to do that?
You should use the signUp method on the user objects in order to signUp the user with parse-server like mentioned in here
After signing up parse-server will return a session token in the response, so you can store it and use it the next time the user is returning back to your app. The same is relevant for logging in a user back with your service.
On backend in a controller, I want to log in a user. Then I want to render a view render(view: '/my-view') where the user will be authenticated already.
Scenario
A user is given a link.
He goes to this link.
Backend redirects the link to a controller.
Controller creates a temporary account for the user and authenticates him.
Controller renders a view and ???? somehow sends the session to frontend ????.
How can I send the session to the frontend?
Define front end ?
Backend redirects the link a controller. Controller creates a
temporary account for the user and authenticates him.
This is how I am doing it sockets does authentication, access that user's http session from backend and puts in there that they have logged in. I then send a socket trigger back to front end html to say all ok
at this point gsp gets response from sockets and says aha redirect to /site/hello
Controller renders a view and ???? somehow sends the session to frontend ????
This /site/hello now checks for specific session and well user is also now logged in too.. the session details was set by backend when user authenticated and not front end session
in gsp you can do
<g:set var="something" scope="session"/>
But I think what i have described is what you need to do
If you need helping user session details it is all quite easy i don't have it to hand
but from gsp when connecting to sockets i send '${session.id}' which then i look up and bind back to user .....
Also note --- there is catch here, when user is not authenticated they have primary session, when they authenticate through spring security they are actually given a new session id. This is due to security issues but I have got around that with checking session.username which i set upon login and this now matches '${params.encryptedUsername}' decrypted on backend..
Ahh it's rolling back.. there is a concurrent hashmap which contains username,session and from that When i get Decrypted.username I get hashMap which the value is user http session to which i poke and do things with ...
I can give you my code but then that is a lot of work above is the steps in one way of how you go about it
So to answer your question, this is under grails 3:
Enable Spring security session listener in application.groovy
grails.plugin.springsecurity.useSecurityEventListener = true
Add CustomSecurityEventListener.groovy class to your app, remove the loginCacheAttempt, unless you wish to use it refer to build.gradle for that stuff and the related service etc in that demo app.
This then calls SessionListener provided in that same folder and adds user with session id to the sessions synchronised map declared at the top of SessionListener
Now in my websockets when I register a user:
String sessionId = userSession.userProperties.get("sessionId") as String
def userHttpsession = SessionListener.sessions.find{it.key==sessionId}?.value
userHttpsession.username = username
userHttpsession.password = password
This is still pre-authentication and primary session
I send a trigger to tell sockets to refresh gsp page to another window.location.href
In that location controller action i authenticate session details and invalidate session details
registerService.authenticateUser(user, session.password)
This way of doing things appears to work fine without the complications, there is an encrypted user which is sent as part of initial socket transaction to ensure/verify session.user matches encrypted user (for logged in user)
It seems like the programmatic login takes care of the session too.
springSecurityService.reauthenticate(email, password)
I have a unique user creation flow which is as follows:
User comes to my site for the first time and they click a button.
I create a User in the DB for them and set a localStorage key with the UID.
Use goes about creating data and I save the data in the DB and associate it with the UID.
User comes back, and if they have UID set in localStorage, I show them the data they previously created.
User can click Register to create a "real" account from which point they will have to login with username and password or another service (e.g. Facebook).
So, how would I accomplish this with Meteor Accounts and the User model?
In a nutshell:
I need to create User mongo document with no information (about the user).
I need to authenticate a user by just having a UID (acting as a "password").
Register onCreateUser to add an "anonymous" field ({anonymous:1})
when a random password is used, maybe generated with Meteor.uuid().
Add a timestamp field
({created:new Date()}) to clean out old, anonymous accounts.
Perform old anonymous user maintenance, like deleting anonymous users more
than one hour old:
Meteor.autorun(function()
{Meteor.users.find({anonymous:1,$where:"new Date() - this.created >
360000"}).forEach(function (user) {
Meteor.users.remove({_id:user._id})}});
On the client:
Always prompt
for a "nickname." This will become the official username, or will
sit in the system forever used.
Check if client is logged in. If
not, create a user with nickname and a "magic number" password,
which logs you in. When they click register, write "Register" at the
top, but actually just change their password and $set:{anonymous:0}
Don't use localStorage, and don't use UIDs. The session cookie IS your UID.
I don't know how to help with the authentication, but as for creating a blank User object, I've successfully done the following on the server-side (with a different name...):
Meteor.users.insert({profile: {name: 'Oompa Loompa'}, foo: 'bar'});