I've made simple nodejs application by using nodejs+express. Now I want to make user authentification. I want to realize session handling by using mongoose.
Can you advise some example?
Some useful links:
how to implement login auth in node.js
creating registration and login form in node.js and mongodb
Also session management isn't done by Mongoose, but by connect-mongodb or connect-redis. You can checkout an example on how to do user auth and session management in a real application here:
https://github.com/alexyoung/nodepad/blob/master/app.js
Further explanations for that app you can find here: http://dailyjs.com/tag/lmawa or http://dailyjs.com/2010/12/06/node-tutorial-5/
Just use mongoose-auth by Brian Noguchi https://github.com/bnoguchi/mongoose-auth
It's a drop in solution for your question, it's well documented and extensible.
EDIT
mongoose-auth is no longer maintained. If you need to make it work with more recent versions of mongoose (ie > v3.x.x) and express (ie. > v3.x.x), here's an excerpt from a package.json file I'm currently using in production (It's hacky but it works):
"everyauth": "https://github.com/bnoguchi/everyauth/tarball/express3",
"mongoose-3x-types": "~1.0.5",
"mongoose-auth": "https://github.com/cbou/mongoose-auth/tarball/everymodule-fix",
I you are starting a new project don't use mongoose-auth, instead try out passport. It offers the same functionality, it's very flexible, however it has a different api. It's part of the locomotive MVC framework and as such it's actively maintained.
I've posted a complete example of a complete auth system using mongoose + expressjs on here, in case you want to take a look:
Simple login page in nodejs using express and passport with mongodb
Related
A user of my app reported an issue today about authorizing the user with Google (using OAuth 2.0). So far the application was opening a new BrowserWindow (node integration disabled, session is separated from the main application). You can see the implementation here since the library is OSS. I am using this to authorize the user to access application data on Google Drive.
Today after logging in I see the following message:
This browser or app may not be secure.
Try using a different browser. If you’re already using a supported browser, you can refresh your screen and try again to sign in.
The learn more link has a section for developers. This section has 2 links. One is how to upgrade the application to PWA. Because the application is an API testing tool it won't be possible to run it in a web browser.
The second link points to a document describing how to migrate to authorization for native application. However described flow requires authorization_code grant. This means I need to include OAuth secret into my application. Electron application, however, is still web application and there's no notion of compiling sources. I would expose client secret to the public which is not secured. Potentially I could build a server application to support it but the app is OSS project. It does not have funding to run a server for authorization.
My question is now how should I implement OAuth 2 for Electron application then. I can't use PWA's and server authorization flow (code grant) is far from ideal in this case.
As Paweł explained, changing the user agent will do the trick. However, you can easily set the user agent by passing an object when loading the URL
win = new BrowserWindow({width: 800, height: 600});
win.loadURL(authUrl, {userAgent: 'Chrome'})
I have tested it and it worked like a charm
Warning: This answer relies on changing the browser's user-agent. As of Jan. 2021, Google disapproves of this and warns not to do this (see EDIT4). Use at your own risk!
The other answers didn't work for me (in Electron 9.0.5), but I eventually found this, which worked:
app.on("ready", ()=> {
session.defaultSession.webRequest.onBeforeSendHeaders((details, callback) => {
details.requestHeaders["User-Agent"] = "Chrome";
callback({ cancel: false, requestHeaders: details.requestHeaders });
});
CreateMainWindow(); // your regular code to create root browser window
});
EDIT: Two other approaches, which I haven't tested, but which may also work:
app.on("ready", ()=>{
session.defaultSession.setUserAgent("Chrome");
...
}
app.userAgentFallback = "Chrome";
EDIT2: Trying again sometime later, approach #2 did not work, but #1 still did. Haven't tried #3 yet.
EDIT3: Trying again later still, it seems that none of these workarounds are needed anymore! Google appears to accept sign-in popups from Electron apps again, without modifications to the user-agent. (odd that they'd revert this; perhaps I just did something wrong in my re-attempt)
EDIT4: While approach #1 still works atm, I recently found this blog post: https://developers.googleblog.com/2020/08/guidance-for-our-effort-to-block-less-secure-browser-and-apps.html Apparently Google is restricting usage of Google sign-in in non-standard browsers (which presumably includes Electron) starting in Jan. 2021, and warns developers not to modify their browser's user-agent (which all three of the possibilities I mention do). Use at your own risk! (they don't make clear what outcome will result, but for my own use, I'm opting to use the alternative shown below from now on)
As an alternative to using a Google sign-in popup in your app (which some might be wary of, since Electron apps could in principle insert code into the popup to read the raw password -- not that it matters that much, since Electron apps could just install keyloggers or the like anyway), you could instead open a tab in the user's regular external browser, pointed to a special page that triggers a sign-in popup there, and then just sends the credentials to your Electron app afterward.
Instructions can be seen here (approach 3): https://stackoverflow.com/a/64328193/2441655
After taking a wild guess I decided to alter the user agent string and to remove application name from it as well as Electron/ with version. After this alteration it started working again.
Example implementation:
const win = new BrowserWindow(params);
let ua = win.webContents.userAgent;
ua = ua.replace(/APPLICATION NAME HERE\/[0-9\.-]*/,'');
ua = ua.replace(/Electron\/*/,'');
win.webContents.userAgent = ua;
This assumes the application is using symver and no pre-release tags. Otherwise you would have to tweak the regexp a bit.
I have made an api in laravel with socialite and github and I need to log out so that the application asks me with which github account I want to log in every time.
What you are asking is how to logout from your registered user (which used Github) and destroy the oAuth session of github?
Maybe have a look at this:
laravel socialite logout issue
OK.
If you are using socialite, do check the documentation of each provider you use. Probably you should make a GET or a POST request to their service in order to log out the user.
For example, Globus.org uses this link (documentation link) in order for you to log out your users:
GET https://auth.globus.org/v2/web/logout
Clicking it will log out your user from your service.
Do note that most provider might use similar techniques.
Use POSTMAN to make such requests and experiment (especially when you are trying to register users, making calls with POSTMAN might seem helpful)
Then you are faced with the following issue:
What type of data did you store on you database? (the next bullet might help you understand what I mean)
Did you store in some way, the provider name the user used to login to your system?
If so, each provider might use a different way to log out / register a user from your Laravel project.
We are quite new to Sails JS.
Using Sails JS (V 0.12.13) inside our company locally, we are now to the point of granting access to our customers. We would like to implement few layers of access (Global admin, global user, customer admin, and customer user (possibly others but not yet)).
We would also like to manage customer pages individually (customer1.app.com, customer2.app.com...).
Because we don't need social login, just local users, we've counted out Passport.
Is the best practice to go with Sails policies and access control ? We found this in Sails documentation (https://sailsjs.com/documentation/concepts/policies/access-control-and-permissions) but as it is in the V 1. doc we don't know if we can use in with sails 0.12.13.
Or would something like Sails-Permissions (https://github.com/trailsjs/sails-permissions) be more appropriate to manage users ?
Also, from the Sails.JS in Action book, they use machine-packs to encrypt passwords and manage logins.
Those package looks ratter old, so we are wondering if they are still "safe" to use in a 2018 app.
Sails policies are certainly a good practice, and you can use them in v0.12 v0.12 docs, yes I agree that machine-packs are pretty old, but you can use npm modules and wrap them in helpers, for encrypting passwords for example, you can use beforeCreate to encrypt the password before saving to the database.
I'm writing my first Symfony app and and I need authenticate users over LDAP/AD, but I run out of documentation...
I found many solutions for use LdapClient, but it tagged as deprecated. So, i check for use the new one Ldap class as recommended, but I not found documentation for use it. The documentation of Ldap component for the current version (3.1) suggest to use LdapClient yet! It isn't updated yet?
I don't know how to do: must we create an adapter for add a Ldap service? If so, how to proceed?
Any help will be appreciated, thanks!
Check out this cookbook article for configuring LDAP authentication using the builtin Symfony component:
http://symfony.com/doc/current/cookbook/security/ldap.html
I also have a bundle I maintain that includes LDAP authentication that works well with AD called LdapToolsBundle. It has documentation on the main page for the app/config/config.yml entries needed to configure your domain for use in the bundle, and also some details on configuring authentication in app/config/security.yml here.
The bundle above provides a LDAP service called ldap_tools.ldap_manager that can be used to query/create/modify different types AD objects.
take a look at my Blog:
https://alvinbunk.wordpress.com/2016/03/25/symfony-ad-integration/
This requires FOSUserBundle and FR3DLdapBundle, but I think if you go through all that documentation you should be able to get LDAP/AD integration with Symfony3 working.
EDIT #2
Below is a second easier solution:
https://alvinbunk.wordpress.com/2017/09/07/symfony-ldap-component-ad-authentication/
I'd like to run functional tests on a section of my website which requires authentication. I found a solution for Symfony 2.x here. However, this does not work for Symfony3 as this line is now deprecated:
self::$kernel->getContainer()->get('security.context')->setToken($token);
My question is, how do I go around this and make it work with Symfony3? Thank you.
In Symfony 3, the SecurityContext was split into the TokenStorage and the AuthorizationChecker. Thus, you need to use the security.token_storage service:
self::$kernel->getContainer()->get('security.token_storage')->setToken($token);
However, a simpler approach would be to switch to HTTP Basic auth in your tests and configure the logged in user as described in http://symfony.com/doc/current/cookbook/testing/http_authentication.html.