Earlier I created first user witch hasn't "userAdminAnyDatabase" role, I delete that user (so now in my database doesn't exist any user) and I got this. What can I do?
Restart your mongod instance with parameter --transitionToAuth
Then you can re-create the user. Restart mongod again.
If it does not work, then try option --noauth.
Option --transitionToAuth disables only the authentication for clients, but Internal/Membership Authentication remains active. Internal/Membership Authentication is pointless when you run a stand-alone MongodDB, it is relevant only for replica sets and sharded clusters.
If you run a stand-alone MongoDB then use option --noauth (and remove option --auth, of course) which disables authentication entirely.
Related
My webapp allows different users to login in different tabs/browsers on the same machine with different credentials (using signInWithEmailAndPassword). I achieve this by calling firebase.initializeApp(config, 'appName'+new Date().getTime()) for each login
When the user closes the tab or reloads (in window.onbeforeunload) I call .auth().signOut() to log him out.
I now want to add a RemeberMe functionality to my app page, that is a tickbox that if (and only if) ticked, will allow following logins from the same machine and username without giving the password even if the machine was for example restarted in the meantime.
How can that be achieved ?
what I am thinking about is (when remember me is on) to generate a token on the client stored in a cookie and maintain a table on the db which links tokens to passwords, there are two problems with this, first of all the password is saved as is on the db which is bad and second the password needs to be sent back to the client which is also bad.
any better options ?
Starting with Firebase JS 4.2.0 you can now specify session persistence. You can login different users in multiple tabs by calling:
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.SESSION)
And when the window is closed, the session is cleared.
For more on this, check https://firebase.google.com/support/release-notes/js#4.2.0 and https://firebase.google.com/docs/auth/web/auth-state-persistence
Just add a rememberMe checkbox to your login form with a reference variable(for an exmaple remember) and use firebase setPersistence like this,
firebase.auth().setPersistence(this.remember.checked ? fireauth.Auth.Persistence.LOCAL : fireauth.Auth.Persistence.SESSION)
(here I have used javaScript for the example)
I am trying to build an android app in js that can detect eddystone beacons emitting UID.
I followed this : https://evothings.com/detecting-eddystone-beacons-in-javascript-made-easy/
But I can only detect beacon html.
I cannot find the line where you can look for UID.
Does anyone has an idea ?
Are you sure your beacon is set to broadcast the Eddystone-UID packet?
The thing to keep in mind is, Eddystone-UID and Eddystone-URL are two completely separate types of packets, and your beacon might only be able to broadcast one at a time.
Check with your beacon's vendor how to set it to broadcast the Eddystone-UID packet.
The Evothings PhoneGap plugin you're using returns both Eddystone-URL and Eddystone-UID packets it found, through a single success callback. The example app from the tutorial you've linked to then takes the beacon, figures out if its URL or UID (or both), and only shows what's available.
I'm developing nodejs application with users registration using sails.
I have an /signup method, which is looking for existing user, if user not found, it will create new user in db.
As you know in sails model (waterline) available few methods : beforeCreate, afterCreate. In beforeCreate I need also register user in a few other services(it takes +-2 seconds), after that I can set received data to user object.
The problem is if user clicks few times on "register" button (or just send the same request 2+ times in a row), it will create 2 objects in db ( or another services ). I have a similar with some other methods like this.
I was trying to set unique field in user model. Also maybe is good idea to implement police, witch can check user + reqest url and put this data into redis. If the second request arrives , check if it exists in Redis. Any other ideas?
My confidence in MongoDB security is shaken, and I'm hopping it will be restored with an explanation that I'm doing something wrong...
I've created MongoDB's Windows Service like this:
mongod --logpath "C:\mongoDB\logs" --logappend --dbpath
"C:\mongoDB\data\db" --serviceName MongoDB --serviceDisplayName "Mongo
DB" --port 27017 --auth --install
I've then created a DB and added the administration user to that DB's system.users collection.
Then I filled that DB with some random information to a test collection I've created.
Up until now, everything is great and I am able to access the DB only if I have the administrator credentials...
Now the important part...
I removed the service like this:
mongod --remove --serviceName "MongoDB"
Then I recreated the service but with no authentication like this:
mongod --logpath "C:\mongoDB\logs" --logappend --dbpath
"C:\mongoDB\data\db" --serviceName MongoDB --serviceDisplayName "Mongo
DB" --port 27017 --noauth --install
What amazes me is that I am now able to access the DB I've created with now authentication...
Please tell me I should have done something differently.
Authentication happens at the daemon level, not at the database level. The data itself is not encrypted or otherwise access-controlled. If you run the service without requiring credentials, then, as expected, no credentials are required to connect and use it.
This is generally not considered to be problematic, as if you have access to the server and can modify the daemon, you by definition have access to the datafiles anyway.
No auth means you dont have to provide credentials:
noauth
Default: true
Disable authentication. Currently the default. Exists for future compatibility and clarity.
For consistency use the auth option.
source
The configuration mistake you made was that you disabled any authentication measure in your database.
Well...
Since if we edit the database files with a text editor, we can see the stored information, you are right, the information isn't encrypted.
Following this order of ideias in my opinion it is redudant to specifiy the user and password when executing mongodump or mongorestore commands on a secured database. Let's face it, if a baddly intentioned administrator would be interested on exporting the data, he could do it editing the database files itself, with much more work of course :P
I know authentication is at a DB level not the instance itself (through admin database), but im my opinion it is very easy once more for a baddly intencioned user to get the DB information since he doesn't need to specify authentication to remove Windows Service...
Thank you for your opinions!
I have an ASP.NET application that is using forms authentication with a timeout set to five minutes. On my page I have a button, that when clicked, makes an AJAX call to an operation that lives on the service named in my .svc file. How do I know, from the client javascipt that the application has timed out? Or, how can I detect this in the global.asax; maybe in the application_beginrequest?
If you're talking about the session timeout. When this occurs, the IHttpSessionState.IsNewSession property should be set to true.
If you're referring to the auth timeout, then you have to check the AuthenticationTicket for expiration.
A variation on your approach: have a separate client script that first checks for authentication expiration by requesting a special page/handler which returns JSON structure to indicate the authentication status of the current user. Only after knowing that the user is still active do you then run your main ajax action. It's one more request but keeps you from entangling the timeout logic with the main ajax logic. You can also use separately in a "warning, your session will time out in x minutes" popup.
See this question and my answer there for more details about how to set it up, but the key point is that if you don't want the check for expiration to extend the sliding expiration you have to configure the expiration page/handler as a separate virtual directory with forms authentication set with slidingExpiration=false.