Validating user token from backend - javascript

I am trying to verify on my backend side (node.js) user's token. Based on the official documentation docs I should download first all JWT from
https://cognito-idp.${region}.amazonaws.com/${UserPoolId}/.well-known/jwks.json
But for some reason this address doesn't exists (of course with valid region and UserPoolId). Everything should be configured well because signup, it's confirmation and login works perfectly, users are added to the pool, I've got token. Any idea what can be wrong ?

For me the following works to access the JWK Set (basically replaced the region and user pool id in the url above).
https://cognito-idp.us-east-1.amazonaws.com/us-east-1_O2vEE1sUF/.well-known/jwks.json
https://cognito-idp.us-east-1.amazonaws.com/us-east-1_O2vEE1sUF/ should be coming from your iss field.

Related

Receiving an email on localhost (kubernetes pod)

I have a following issue:
I'm writing an integration test (cypress) for resetting password. The issue is, that right now I send the url (with key needed to reset the password) to users email. Email must be real (so eg. something#something.comething).
I wanted to use something like mailhog for this sake, but I don't think it's possible in this case, since I send api request from frontend to backend with en email that requested password change, then backend sends a message to this email address with the url (so I can't do it directly from frontend and I'd like to avoid backend changes in this case).
Is there some service, that I could use, that would eg. run in kubernetes pod or just straight on localhost, to "pretend" to be a real email, so I could signup with it and then reset the password for it? It must have some api, that would allow me to get the email value (for the sake of getting the url with reset key).

How to implement "forgot/reset password" feature properly in Node.js? (Using one time token)

I am implementing a forgot/reset password functionality in a Node.js app using NestJs.
That is the general flow:
A user types in his email in a "forgot password" form and submits the request
The server generates a jwt token with the user's ID as the payload, then sends an email with the token as the link to reset the password (example: GET: example.com/reset/generated_jwt_token)
User clicks the link from his email, the reset password page is rendered, he fills the form with the new password and submits the form with the password as the body (example: POST: example.com/reset/generated_jwt_token)
Server verifies the token (that is not expired + user ID from payload exists in the DB) and updates the password.
The main problem with this approach is that the jwt token can be used unlimited amount of times to reset the password (until it expires after X minutes).
Is there a way to solve this? some say to put the current password's hash as the payload since it will be changed anyway and will guarantee 1 time use, but I'm not a fan of this method.
EDIT: Another approach i encountered is creating a blacklist collection in the DB of jwt token that cannot be used more than once. Or using a cache in redis the same way, but it seems not very scalable.
When a token is generated, you could save it (or something unique embedded inside it) into the database under that user. Then, the server verifies the token:
(1) when the link from the reset email is clicked
(2) when the user submits the reset password page
by checking that the token is the same as the one for that user in the database.
Also, when the user successfully changes their password, clear the token from the database so it can't be used again.
I agree with the (accepted) answer of #CertainPerformance.
I would like to add - Consider using authentication-flows-js. You will not have to worry about the implementation at all!
It is a module that answers most flows - authentication, registration, forgot-password, change password etc., and it is secured enough so applications can use it without the fear that it will be easily hacked.
From an article I wrote:
Forgot Password
The user enters their email in the forgot password
form, and clicks submit. The server (AFM) verifies the account exists
and is not locked. If it is locked, AFM throws an error. Otherwise, an
email is sent to the user with a token. That token is stored in the DB
in the same row/document/record of the user.
Read the full article with more explanations here.

How to implement username/password auth with express ntlm?

I am trying to implement username and password auth with Express-ntlm.I have added below code as middleware
app.use( ntlm({
domain: '<domainname>',
domaincontroller: '<ldap url>',
}));
I am not providing any user name password in the request and its automatically adding ntlm header in the request with my loggedin user details. I am getting {Authenticated:true} along with my username and system name in request.ntlm.
How can I provide different username/password in this and authenticate?
Also will this work if I login from linux/mac system?
If you use a supported browser (e.g. IE) NTLM will automatically log the user in using the current session in Windows. express-ntlm will just receive this information and exposes it to the application.
If you want to use other credentials you have to log in using a different user in Windows or use a browser that will show you a prompt for username and password if it gets an NTLM challenge. If I remember correctly Chrome will do it like this.
I never tried it using macOS/Linux, but I'm sure most browser will just provide you a username/password prompt.

Facebook messenger account linking, how to use it?

There are 4 easy steps described in the documentation about account linking for the messenger platform:
Register a callback URL using Log In Button.
Messenger Platform invokes the registered URL when a user starts the account linking flow. The redirect_uri and account_linking_token parameters are appended to your registered callback.
Once linking is complete, redirect users to the location provided by redirect_uri and append a authorization_code parameter (defined by you) to confirm linking.
Optionally retrieve the user's page-scoped ID (PSID) using the account linking endpoint. This step should only be used in special cases when you need the user's PSID as part of the linking process.
These steps are very easy to follow, except there's no help whatsoever on how to actually link the account, I get the redirect_uri and the account_linking_token as parameters on my callback website where I enter the account login and password.
And then, I link the accounts...? How exactly?
What's the use on this button? I know it is supposed to link accounts, but what do I need the account_linking_token for? I can already send in a regular web_url button the user psid, I can easily send it on my login button as a parameter and link account to this psid if credentials are correct.
I strongly believe there's something I'm missing or something I'm not understanding, but I don't know what. I followed the steps, called the account linking endpoint to get the PSID, which I already had since it is how I send messages with my bot, but I don't really see the point on this button.
So, what am I missing? I'm so frustated.
Just been through a similar bit of head scratching, so will explain what I've done while it's fresh in my head
For my example, I wanted Facebook to redirect out to my main login page, which is an open id connect implementation. The customer signs in to this, and I get an id_token and access_token back from that. Upon receiving the access_token, I'm extracting the 'sub' claim from the JWT, which is the unique customer identifier in our database.
I'm then redirecting back to the value that was sent to me in redirect_uri, appending authorization_code={the-value-of-the-sub-claim}
This then triggers the 'account link' webhook, which will Post to my service code, containing the PSID of the Facebook user and the authorization_code, which is my unique customer id in my business database.
You now have the 2 bits of information you need, the unique facebook id and your unique customer id in the Post message. It's up to your business code to persist this information to some sort of storage at this point
On subsequent message posts to the Bot endpoint, you always have the sender (PSID) in the message. Your code can now look up the corresponding id specific to your business and perform operations relevant for that id.
Where the linking takes place - that's in your code, you need to handle the message from the account link webhook and store the data for future use.

Facebook API - access token works for SOME requests

This is driving me totally crazy. I've set up an FB app and retrieved an access token by visiting: https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET.
Now I want to grab a (publicly available) feed from this URL: https://graph.facebook.com/PAGE_OR_USER_ID/feed?access_token=ACCESS_TOKEN
It works fine when I try it with my own user ID or even when I try another random page but it DOESN'T work when I enter the PAGE_ID I need it to work with.
Here are some examples:
This works fine (a friend of mine's Facebook page):
https://graph.facebook.com/tatchit/feed?access_token=213451182120494|JgAwuCE74lh51t1pKMuRM2mz3GU&limit=10&offset=0
This also works fine (my own Facebook ID):
https://graph.facebook.com/al.dev.7/feed?access_token=213451182120494|JgAwuCE74lh51t1pKMuRM2mz3GU&limit=10&offset=0
This doesn't work (the client's Facebook page):
https://graph.facebook.com/142616539131188/feed?access_token=213451182120494|JgAwuCE74lh51t1pKMuRM2mz3GU&limit=10&offset=0
I don't get any errors but the result is empty.
If I try the Graph API Explorer it also works fine:
https://developers.facebook.com/tools/explorer/?method=GET&path=142616539131188%2Ffeed
But not if I enter my own access token. From what I understand the access tokens you get in the API Explorer are temporary so I don't want to use that.
How can this be?
Also. I've struggled to understand this whole access-token, client-id, app-id-business for ages now - is there a good tutorial where all this stuff is explained? I've never had this work without problems ever.
Thank you
You should be using user access token for all the above queries. App Access token is used when you want to do something like check the app insights so and so.
When the pages has age restrictions or something so, app token wont be able to get through, but since the user is already a member of the page, you can use the user access token to get the data.
Add : Quoting from the documentation,
Note that the **app access token** is for publishing purposes permitted by the publish_actions and publish_stream permissions. You will be **unable to retrieve information** about the status update post with the given ID using the app access token. Instead, you should use a **user access token** for such purposes.
Other Capabilities of an App Access Token
There is a limited set of information that can be retrieved from Facebook using an App Access Token.
Basic Profile Info of a User (ID, Name, Username, Gender)
A User’s Friends and their IDs
Permissions granted by the User to your App
Read : https://developers.facebook.com/docs/opengraph/using-app-tokens/
So you should be querying with the user_access token to access all the informations that you are looking for, not with an app access_token.
You are using an App Access token instead of a User Access token. Some of the pages you are viewing may have a country or age restriction set, so using an app token will not work.
See: http://developers.facebook.com/docs/concepts/login/access-tokens-and-types/

Categories