I am creating web-app with react. It is my first JS project so I decided to ask for advice.
I do not know how to manage user session.
I am using axios.post to connect with server but I do not know how should my app behave after successful authorize. Now app just changes page to for example /myaccount.
Please tell me what should I use ensure that user cannot access /myaccount without login.
Related
This is a hypothetical question, so let's say you've got a full-stack web application and there is admin-dashboard in the front-end side.
I, as /NOT/ admin, try to access a route such as /api/admin/dashboard
In the React app, some authentication logic can be done such as if user.isAdmin allow to dashboard else navigate back to homepage
In the back-end side, let's say Node.js, you just res.send('not authorized')
So what I thought is I'm on the client side right, I can take minified js which is derived from npm build of React app, and I don't know but somehow I can revert it back to React App folder structure then there is all the util files, components, hooks and everything.
That means I can manipulate authentication logic like allow everyone to see dashboard and also manipulate the fetching logic that would be if error from fetching, instead of return 'not loaded', compeletely remove fetching logic to the backend and just see me dashboard
So, to my understanding, after some effort, maybe not data and functionality that requires me to speak to backend, i can see dashboard or even all the layout, right?
My question is, can we prevent this to happen in some way?
Or do I need to?
First, As you have use role based conditional dashboard render in frontend, When a non admin user inspect the app and figure out the admin dashboard route, when ever the person visit the page, if any api is giving 401 unauthorized status, then logout or redirect that person to actual page. For a millisecond he will able to see the page.
or
Second, Send your react routing as json from backend api. Backend is way more secure. It will send conditional role base route to react. So, no user can figure out actual route path from frontend any more. So, It is more secure.
We have a solution which using multiple SPAs written in Angular and AngularJS. These application implement the oidc-client-js library and authenticate in Identity Server 4. Due to limitation of AngularJS we need to render our legacy AngularJS apps in iframe. There is one main application that allows to login through IdentityServer4 and then we can open different SPA inside that main application. This is working fine until we logout and then login on different user. On the main app and apps that are written in Angular7 the user is correct but when we enter on application that is rendered in iframe the user stays from previous session.
According to the IdentityServer docs I was trying to add
FrontChannelLogoutUri to notify all logged in clients and end all sessions.
But I haven't found what this logout page supposed to do.
Also I was trying to clear all grants when logging out but there is no grants to be cleared. To acheive this I used following method:
await _persistedGrantService.RemoveAllGrantsAsync(subjectId, clientId);
This method from IdentityServer returns empty list.
var grants = await _interaction.GetAllUserConsentsAsync();
I believe after FrontChannelLogoutUri is rendered the session should be ended but I have no idea how to achieve this.
After redirect to FrontChannelLogoutUri probably need to clear session storage in iframe. For now this is working fine.
I am creating an Ionic 2 app with firebase and I need a way to listen to database changes (specifically on child_added) when the app is closed (I.e. in foreground,background and killed)
Basically, I want to use WebRTC to make calls within the app like whatsapp and I am following this post - https://websitebeaver.com/insanely-simple-webrtc-video-chat-using-firebase-with-codepen-demo
However, the only thing that puzzles me is how it will work when the app is closed. Can anyone please help me understand?
Thanks!
It's not possible to actively listen to database changes using the Firebase client SDK in exactly the same way that you can when your app's code is running.
If you want your app to receive information about changes to your database, you can instead use Firebase Cloud Messaging to send your app a notification with a small payload that contains information about the change. When your app receives the notification, it can then make a decision about what to do. There are some limitations with web support, so be sure to read about that.
Also look into Cloud Functions for Firebase to make it easier to write some server side code that can trigger in response to a database change and send a notification when those changes happen.
So I have built an API and now i am building a react app to go with it. The app will have different access level e.g user and admin. The problem i have at the moment is that The whole react app is rendered and sent to the client. So even though the routes are protected on the server. A user could potentially access the admin intended JavaScript on the client.
I'm trying to figure out how i can have a user log in and from that decide what to JavaScript to serve. After 2 days looking into this I am still stuck. A lot of articles seem to suggest making the App isomorphic (render the JS server side) but is there no other way of doing this. The solution we are leaning towards at the moment is having different builds. A build that just contains the JavaScript for the login. Then after auth we use that to decide if to load the user build or the admin build. This is going to mean repetition and i dont really like this method.. but its the only way i can think of at the moment.
My question is.. what is the best way to handle this in react? Also can react load components on the fly? so we could have the app just contain the login JavaScript and when Auth passes we send details on what components the user should have access to and then just load theses
I'm building a PHP web application, something like "Auction", I want to let the user to sign in using their facebook accounts.
I started using javascript SDK, I've built the first page in which I asked the user to login using facebook, after the authentication is made, the page refreshes and according to some cookies I stored after the authentication, the page layout and elements change.
I want to save the login status in such a way the server knows if the user is authenticated or not, I know I can same the appropriate cookies to give the server these information, so do I need the PHP SDK in the future? Is it better if the retrieving of user info done in PHP at server side? what advantages I get from using the PHP SDK rather than using the javascript?
I'm sill in the very beginning of the development process, and I'm not sure if I'm going the right way to use the javascript SDK alone! any help concerning this dilemma will be appreciated.
thanks