Securing accountsystem from external changes - javascript

I just started my own little project with HTML5, PHP and Node.js.
Currently everything works just as i want it. But something came to my mind after checking the code. My website is supposed to be an auction house. I store the userid in my database and have the id as an id tag on the website.
Here is the problem. If someone now bids on the items, i just simply take the id and send it to my node.js server. Technically someone could just change this id to the id of another person registered. Currently i have no real solution to this problem, since this is my first website.
I thought about maybe inserting the phpsessionid cookie into the user database everytime the user logins and then send these with the userid to the database everytime he bids on an item. The node.js server would then compare the stored value with the send one to verify if the right user send the bid.
My question is now, is this a good solution or is there a better way?
Edit:
Some of the code:
<li class='dropdown' id='steam' title='".$steamprofile['avatarmedium']."' name='".$steamprofile['steamid']."'>'><span class='caret'></span><ul id='profilenav' class='dropdown-menu'><li><a href='?logout'>Logout</a></li></ul></li>;
So this is the part that gets created once i login with openid
var steamid=document.getElementById("steam").getAttribute("name");
socket.emit('status added',{itemid:id, tmerid:timerid, steamid: steamid, avatar: avatarlink});
This is how i get the userid and send it to the node.js server

Related

How to build "Selectable Keep Login" function by Cookie/JWT

I'm using Node(axios,pinia)+Vue3 as frontEnd,and node(express,bcrypt,jsonwebtoken)+MongoDB as BackEnd to build a SPA web.
I use JWT for login authentication and save at localstorage.
Now it only can keep login.
Hoping have Selectable "Keep Login" function like some forum usually have.
(After closing browser/shotdown will need to login again.)
I don't use sessionStorage for this website user often open new tab.Some cross tab problem bother me and I thought cookie might got better solution.
I can imagine only "Always login"/"temp login" can be done likes. But with selectable I can't thought a simple way to apply it.
Like now I'm thought still use LocalStorage(LS) for Vue to run,but also have Session Cookie(as Cookie)(Not sure the name but the cookiewill be deleted when all webs closed).
Keep login need no change for me.If set to temp login, then the setting will be save to JWT,all front/back could know.
Use cache as signal for closing browser,if (temp login)&&(no cookie){clear LS}.
However I wonder the localStorage can be extract so the func will not safty enough? Then a school computer will be disaster
I'm new to cookie/session,and want to know any better way for safty/efficent. I will prevent XSS.
It would be wonderful to have your experienct/Idea!
Poor language and consult at here first,If any describe not clear/too detail please tell me,I will try to edit it, thanks!
The use of JWT is below:
BackEnd use bcrypt verify user password and response a JWT(with userID for db to find,also save to user login record DB) and other basic user info.
Some response data like JWT,basic userinfo will be save in localstorage to let Vue decide display login/admin/different page.
When user send a request(some login-action), JWT will also be send as BearToken to bo verified by backEnd that JWT was record in that user login record.
So JWT is the only security key,the user's login record should have same JWT.
Because it save in localstorage,user must logout!(Despite I can set some limit time.)

unable to login with updated user after changing user info via PUT request

Newbie so apologies if I am not concise enough on this. Creating a simple application in react that displays movies and allows users to have profiles. I am running into an issue with retrieving information from my database. When I sign up and register as a user for the first time, my data is stored in my db and I am able to login via username and password.
Once logged in, I can then navigate to my profile and update my information (username, password, email, birthdate) and using a "handleUPdate" function I am successfully able to update the user info and this new information shows in my database. The issue is when I am redirected back to login after updating my information, the system does not recognize my credentials (despite the updated user info showing in my mongo db). I think the issue is occurring either in my mainView, profileView, or loginView. For reference, i've attached my repo link: https://github.com/jchasehuskey/myFlixx-client-final.git.
I can include more information if needed. The error I am getting when trying to login via the new username and password is: " POST https://myfavflixdb.herokuapp.com/login 400 (Bad Request). "
Again, it's unable to retrieve the updated user info from the DB. I have been dragging on this for days and am not sure where I am going wrong. I could be asking the wrong questions or giving the wrong information. Any help would be much appreciated.

Adding attachment/s to PHP Mailer is taking long loading process to complete

Good day everyone, I'm looking for the best way to automate my purchases through my web app. Hope you can give a good advice or suggestion
Let's say we have one product, one user, and order table,
Product name is MusicMixes, product price is 50$, product attachment is Music.mp3 (with a size of 50mb)
User name is Juan and user email is juan#mail.com
Here's the current scenario/application that I have. I am using phpmailer() to send an email with attachments to buyers after a successful purchase using this syntax.
$mail->addAttachment("uploads/".$file_name);
Assuming the buyer bought MusicMixes product, the behavior of the process will be:
The web app will get the User's name and email using session.
The web app will fetch the data of the Product (incl. the Attachment) from database based from the Product ID/Name
The web app will then send an email to the buyer, the structure is like this.
if(isset[post]){
//get user data from session
$name = $session[name]
$email = $session[email]
//get data based on id/name
stmtSelect = select * from product where ID/Name=MusicMixes
//Insert data to db
stmtInsert = insert into order (name,email,productid,productname,productattachment,productprice)
if(stmt execute){
//send email with attachment
$mail->Addattachement....
}
//Process is done
}
I'm encountering a long loading process before the process is submitted/done because I assume that the web app will fetch the attachment (big size, 50mb) and upload into phpmailer() and send it to the user. Typically, if the user refreshes/cancelled/did something to the browser while it is still loading. There are times that the attachments/email are not sent but the data is being saved into the DB.
My question is...
Is it possible like to save it first to database so the loading will be done instantly.
purchase.php = saves data to DB
then after some time maybe after 3-5 minutes, theres something (I can't figure it out) within the web app that will trigger mailSend.php
mailSend.php = sends the email w/ attachments based on DB.
There is somewhat another PHP file/other instances that will handle the mailing process to get the necessary info from the DB then send the email with attachments to the user? so that it doesn't affect the loading time/UX for the user. Something like its loading an email function, the backend is doing its thing without interrupting the user. I can't really explain myself so Hopefully you guys get what I meant.
Thanks for the big help!

How to login a user using firebase authentication

I'm currently using firebase-admin to create a web Dashboard with node.js as a backend which will have multiple users and those users have user specific data in my database, note that I need them to be able to delete or add stuff to the database as well, I've managed to add new users to Autentication using firebase.auth().createUser() programmatically, but how would one go about logging in a user, and then from there controlling which uid is logged in and displaying his data (giving him access to the correct data, obviously don't want him messing with someone elses data).
I know this might seem like a really newbie question, and it probably is, but firebase docs always get me confused for some reason. Any tips? I'd greatly appreciate.
Any questions don't hesitate.
To login a new user, try this:
firebase.auth().signInWithEmailAndPassword(email, password)
this returns a Firebase.Promise which you can use to track the operation progress. If successful, it will return the corresponding Firebase.User object.
From there, the logged-in user will also be available in the firebase.auth().currentUser property. You can then use the user's uid property as a key for his JSON branch on the database.

What's the best way to provide forgotten password functionality with CouchDB and Backbone.js?

I've got an ajax app built using backbone.js and it's hooked up to a couchdb instance. I am trying to build forgotten password functionality using the following workflow:
1) user enters their username
2) I send them an email with a link in it
3) the user accesses the link and enters a new password
I can't figure out how to actually get the password updated however. For security reasons, I'm not going to embed admin creds into the client, and it looks to me like a user has to be authenticated before they can make changes to their password.
Thank you for your time and assistance. Hopefully I'm just overlooking something silly.
I do it like this: save a unique key to DB, send a link that includes that key to visitor email and of course when he will access the link you will need to check the availability of that key, maybe consider 15 minutes since key was sent or decline his reset request

Categories