How to implement username/password auth with express ntlm? - javascript

I am trying to implement username and password auth with Express-ntlm.I have added below code as middleware
app.use( ntlm({
domain: '<domainname>',
domaincontroller: '<ldap url>',
}));
I am not providing any user name password in the request and its automatically adding ntlm header in the request with my loggedin user details. I am getting {Authenticated:true} along with my username and system name in request.ntlm.
How can I provide different username/password in this and authenticate?
Also will this work if I login from linux/mac system?

If you use a supported browser (e.g. IE) NTLM will automatically log the user in using the current session in Windows. express-ntlm will just receive this information and exposes it to the application.
If you want to use other credentials you have to log in using a different user in Windows or use a browser that will show you a prompt for username and password if it gets an NTLM challenge. If I remember correctly Chrome will do it like this.
I never tried it using macOS/Linux, but I'm sure most browser will just provide you a username/password prompt.

Related

ArcGIS JavaScript API: How to show company specific portal login screen when trying to access secure layer

I have written a webapp with the ArcGIS JavaScript API and all is working fine. Now I am trying to add secured layers to the web app and the app starts asking for credentials via a default login screen. I could use that, just entering username and password, but most users don't know their user name and password for ArcGIS.
The company has implemented SSO with ArcGIS so users don't have to fill in their credentials. Users typically go to the main company.maps.arcgis.com site and get to a company specific login screen where they have the option to click this SSO button.
My question; how can I make the JavaScript API show this company specific login page with SSO button instead of the default one?
I tried registering oauthInfo and serverInfo setting but without success.
Did anybody else ever built this?
The SSO sign in prompt should occur as long as you're using OAuthInfo and registering it with the IdentityManager. You'll have to make sure that you:
Add and register an application in the organization where
the data is coming from. The redirect URI should point to the server
that's hosting the application URL.
Get the Client ID from the registered application and add it to the appId in OAuthInfo along with the portalUrl property (which should be https://company.maps.arcgis.com)
Set the popup property to false.
Verify all the data is coming from the same organization. If it's not, then you may get another prompt since it's not registered with the IdentityManager.
Here's an example of what the OAuthInfo should look like:
const info = new OAuthInfo({
// Swap this ID out with registered application ID
appId: "APPID",
portalUrl: "https://company.maps.arcgis.com/",
flowType: "auto", // default that uses two-step flow
popup: false,
});
esriId.registerOAuthInfos([info]);

Disable default sign in prompt while using ntlm passthrough technique in express-ntlm

I am using following code in express-ntlm to get workstation details in my node.js app:
var express = require('express'),
ntlm = require('express-ntlm');
var app = express();
app.use(ntlm());
app.all('*', function(request, response) {
console.log(request.ntlm.Workstation);
});
app.listen(3000);
When I hit localhost:3000 it pops up sign in prompt asking username and password. This is due to http setheader('WWW-Authenticate','NTLM') in the express-ntlm package code.
How do I disable this sign in prompt and still be able to get workstation details?
P.S : (I tried disabling it through express-ntlm code, though it doesn't do it. There is some callback that I am missing, to reproduce exact events, which are triggered when you click sign in button on the prompt.
Also I am not trying to put any custom sign in page.)
This is not possible. The WWW-Authenticate header tells the browser to use NTLM for authentication. If the browser supports NTLM natively, you won't notice this process, but if not, there will be a prompt to enter credentials. If you remove the header, the authentication won't happen and therefore you will not receive the required information.
Also, using ntlm() without a domain controller is not clever, as it disables authentication checks and therefore any user can provide any details they want, without any verification.
Check your browser settings/ policy.
For IE
Tools > Internet Options > Security Tab > Custom Level >User Authentication Logon > select checkbox "Automatic logon with current user name and password".

Keystonejs: change admin UI login screen message

Keystonejs has some kind of bug on the Admin UI login page:
While trying to access Keystone Admin UI, with User that Permissions isAdmin = false
In case login/pass is correct Keystonejs screen says: "You're already signed in."
There should be response something like: "You don't have permissions"
It's no too informative so I suggest to change it to something like "You don't have permissions".
So question: is it possible to change text of that message?
The issue is that you have logged in using valid credentials but have not granted that user access to the Admin UI. There is (as at Keystone 4.0.0) no default path for users without the canAccessKeystone permission. I believe the general assumption was that non-admin users should not be logging into Keystone admin, but authenticated sessions are still useful for API endpoints.
So question: is it possible to change text of that message?
I'm not aware of a straightforward way to only change this message, but if you're keen you could always modify the Keystone 4.0 source for your own requirements and submit a pull request to have this considered for merging into the project. I've created issue #4786 in Keystone's GitHub issue tracker to improve the messaging for users who successfully login but do not have access to the admin UI.
In the interim, one possible workaround would be to use the keystone signin redirect configuration to set a preferred entry point that can either handle all user types or redirect appropriately.
For example, you could add the following to your keystone.js config:
keystone.set('signin redirect', '/gohome')
The /gohome route could render a page or do a simple redirection based on user properties:
app.get('/gohome', function(req, res) {
var url = (req.user && req.user.canAccessKeystone) ? '/keystone' : '/user';
res.redirect(url);
});

Validating user token from backend

I am trying to verify on my backend side (node.js) user's token. Based on the official documentation docs I should download first all JWT from
https://cognito-idp.${region}.amazonaws.com/${UserPoolId}/.well-known/jwks.json
But for some reason this address doesn't exists (of course with valid region and UserPoolId). Everything should be configured well because signup, it's confirmation and login works perfectly, users are added to the pool, I've got token. Any idea what can be wrong ?
For me the following works to access the JWK Set (basically replaced the region and user pool id in the url above).
https://cognito-idp.us-east-1.amazonaws.com/us-east-1_O2vEE1sUF/.well-known/jwks.json
https://cognito-idp.us-east-1.amazonaws.com/us-east-1_O2vEE1sUF/ should be coming from your iss field.

Firebase RememberMe functionality

My webapp allows different users to login in different tabs/browsers on the same machine with different credentials (using signInWithEmailAndPassword). I achieve this by calling firebase.initializeApp(config, 'appName'+new Date().getTime()) for each login
When the user closes the tab or reloads (in window.onbeforeunload) I call .auth().signOut() to log him out.
I now want to add a RemeberMe functionality to my app page, that is a tickbox that if (and only if) ticked, will allow following logins from the same machine and username without giving the password even if the machine was for example restarted in the meantime.
How can that be achieved ?
what I am thinking about is (when remember me is on) to generate a token on the client stored in a cookie and maintain a table on the db which links tokens to passwords, there are two problems with this, first of all the password is saved as is on the db which is bad and second the password needs to be sent back to the client which is also bad.
any better options ?
Starting with Firebase JS 4.2.0 you can now specify session persistence. You can login different users in multiple tabs by calling:
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.SESSION)
And when the window is closed, the session is cleared.
For more on this, check https://firebase.google.com/support/release-notes/js#4.2.0 and https://firebase.google.com/docs/auth/web/auth-state-persistence
Just add a rememberMe checkbox to your login form with a reference variable(for an exmaple remember) and use firebase setPersistence like this,
firebase.auth().setPersistence(this.remember.checked ? fireauth.Auth.Persistence.LOCAL : fireauth.Auth.Persistence.SESSION)
(here I have used javaScript for the example)

Categories