I'm trying to reinforce some concepts learned in Colt Steele's Web Development Bootcamp and I have built a small website. At this time, I'm just trying to get the authentication working properly.
When a user signs up, I can see that they are added to my Mongo DB so I'm assuming that is working correctly but when I try to log back in it always redirects to the error page.
I have tried debugging this a number of ways and have compared it to the work we did in the course a hundred times but I cannot spot the bug with this. If anyone could give me some guidance I would really appreciate it.
Here's my project repo:
https://github.com/mcarre93/Depa
Ciao, according ti passport docs, when you post /login you should do:
app.post('/login', passport.authenticate('local'), function(req, res) {
// If this function gets called, authentication was successful.
// `req.user` contains the authenticated user.
res.redirect('/account');
});
I read your code and you are doing something different. Try to modify your code as documentation suggest and let me know.
Related
I'm hoping to be able to create a section of a site that is unable to be read/seen by anyone that's not logged in... I am using Firebase and Javascript
I have read that you are unable to set permissions for files (.htmls ect) so i wont be able to block people from seeing the pages as a whole... Ive also read that this isn't the best practice anyway... So my question is...
What is the protocol for doing this sort of thing? And how can this be done in Firebase?
I have managed to create a user only page before from a tutorial, but this was just done by hiding the content of the page with Javascript and also blocking the permissions to the displayed data through Firestore permissions.
But I don't feel this is adequate for my site as I don't want people being able to read the code in the background or get access to the page at all to begin with.
I have also read that a way to go about doing this is to use Firebase Cloud Functions to check weather the user is logged in and if they are then it spits out the code for the pages from the google servers. Is this a good idea? Or is there a better way?
Any help, tips or insights would be greatly appreciated.
Just trying to get a feel for where to begin with this problem.
Hoping there is a solution.
Thanks
Yes, its a good practice hiding or preventing the UI to be rendered for unauthorize users.
Yes, its also a good practice setting the permissions accessing your data from the database.
You should also consider middleware, navigation guards or route guards for preventing unauthorized users to visit the restricted page. It would depend on the stack, or what frontend technology you are using. You can find whatever navigation guard you chosse. For vuejs there is vue-router. Also you can use firebase authState listener. Depends on your choice.
Use firebase auth to signInWithEmailAndPassword, or whatever your authentication method was. Then, you can check the auth state in onAuthStateChange, and set your new userId state:
// somewhere...
const [currentUserId, setCurrentUserId] = useState(null)
// later..
onAuthStateChanged(auth, (user) => {
if (user && user.uid) {
setUserId(user.uid)
}
});
// even later in this component:
return (<Layout userId={currentUserId} />);
// in wherever you have links, I assumed you passed currentUserId to here:
return (
currentUserId != null ? (Give content pls) : routeToLogin();
);
Something like this should be fine and secure enough. Noone is gonna go and flip a variable in your extremely obfuscated, transpiled javascript code generated by your bundler, and even if they did find a place to flip a variable, the code would probably throw an error anyway.
You could lazy load that certain page as well once authenticated, then the code for it it wouldn't even be loaded into the users disk until they've successfully signed in.
I'm building a register system where a user can login with Facebook, Google, or locally.
Whenever I post via any login strategy I get uknown strategy error. I think I did connect all files all together.
I did check every solution, on stackoverflow, but can't find anything that could help aht the moment.
My code:
https://github.com/ExadelPraktika/Back-exabook/tree/backend_full
added
require('../passport');
in passport.js
it works
You will also get this error if the strategy is not passed to the use command like so:
passport.use("google", strategy);
In the process of learning the MEAN stack I came across an issue.
Whenever I try to use passport authenticate method it never returns any response. I always get "localhost didn’t send any data. ERR_EMPTY_RESPONSE".
Here is the exact isolated code snippet that isn't working:
app.post("/login", passport.authenticate("local",
{successRedirect: "/campgrounds", failureRedirect: "/login"}),
function(req, res){
});
If you want to see the whole code, you can find it: HERE
Does anyone have any solutions?
this line needs parens after authenticate
according to the docs here
Sorry if this is a rookie question but here it goes:
I want the Admin (when logging into the site) to view a link that non-admins can't view when they log in. I'm not even sure how to get started. I know I have to add two separate routes to the routes.js file. But not really sure how to display that in the UI or if I'm even correct.
This repo seems somewhat relatable to my problem. https://github.com/angular-ui/ui-router#get-started
Thanks
So the best way (using angular as you are) to create admin pages is to restrict them on your API within express or node.
Luckily there is a package for this! Passport a node module which can not only do regular logins but also google, facebook and many others.
I would take a look at there middleware examples then in your route you can do something as simple as this:
app.get('/admin', isAdmin ,function(req,res){
res.send('Secret Admin Things')
});
where isadmin will handle checking if they are an admin all in one swoop! Amazing tutorial for this.
I worked on a project which did not make use of passport and this is what they did
In the back end
res.locals = {
auth: req.session.auth,
}
res.render('index');
Then in the front end
HTML:
<span id="admin"> </span>
JavaScript:
if('{{auth}}' == admin){
menu = "<a href='/admin/users'> Admin: Users </a>"
$('#admin').append(menu)
}
Then to make sure someone could not look at the code to find the link and go to it you of course secure the back end
if (req.session.auth !== 'admin') { //
res.redirect('/');
}
The other answers are great if your using and know angular and passport. However, not everyone uses the same libraries so if your just using express and JQuery this option will work to get you started. There is much more to the code as far as security checks etc you would want to do but this is the basic way
i have a little problem with Meteor and Twitter.
All i want to do is posting a tweet through a click on a button. For this I have to authenticate myself over Oauth to the Twitterservice.
At the moment i am doing the authentification in a really complicated way springing from client to server and back. But now I found the function Meteor.loginWithTwitter. Originally I thought this function is only for logging you into your own application with the Twitterkeys, now i am not so sure anymore. Probably I can also use it for my problem. Because it seems that the Oauth-Process is completely (and in a simple way) implemented in Meteor.
Sadly i cann't find any documentation or examples for just logging in and getting the final oauth_token. And so all i got from Meteor back then i try the following code, is this errormessage:
Erromessage: Accounts.ConfigError {message: "Service not configured"}
Meteor.loginWithTwitter( function(err){
if (err){
console.log(err)
}else{
console.log("yeah");
}
});
I know i have to enter somewhere my Appinformation like the Consumer key, but i have no idea where. Can someone help me out and knows some examples for me? Or knows if i am even on the right track?
Thanks and greetings
Philipp
The easiest way of doing this: Add the accounts-ui package:
meteor add accounts-ui accounts-twitter
and in your template do
{{loginButtons}}
On the first start of the application, a click on the login button will guide you through the setup process. You will create a Twitter application and copy the consumer key and consumer secret into a form, that meteor presents you. Afterwards you can log in using Twitter.
Make sure to use the latest Meteor version (0.5.2 at this moment)
You can also config your consumer key and secret with code, this is an example with weibo but its work for twitter, google etc... (server side) :
// first, remove configuration entry in case service is already configured
Accounts.loginServiceConfiguration.remove({
service: "weibo"
});
Accounts.loginServiceConfiguration.insert({
service: "weibo",
clientId: "1292962797",
secret: "75a730b58f5691de5522789070c319bc"
});
You need to add what #Tom31 suggested in your server side, i.e., I have a /server/server.js
Accounts.loginServiceConfiguration.remove({"service": "twitter"});
Accounts.loginServiceConfiguration.insert({
"service": "twitter",
"consumerKey" : "<yours>",
"secret" : "<yours>"
});
Finally, your access token are stored in your user at the database but this information it is not propagated to the client and, if you want to have access to it, you new to create a server side method and access it through Meteor.call or Meteor.apply
Updated: Example of my server side method
I've created my server side method like this:
Meteor.methods({
...
userGet: function(id) {
return removeSensibleFields( Meteor.users.findOne({ _id: id }) );
}
...
});
where removeSensibleFields is a method to remove all unnecessary/private information that may not be sent back to the client