How to prevent a user from directly accessing my html page - javascript

I have a login page that sends a request to a Python script to authenticate the user. If it's not authenticated it redirects you to the login page. If it is redirects you to a HTML form. The problem is that you can access the HTML form by writing the URL. How Can I make sure the user came from the login form with my Python script without using modules because I can't install anything in my server. I want it to be strictly with Python I can't use PHP. Is it possible? Can I use other methods to accomplish the task?

It's apparent to me that you only want to use Python, no frameworks etc... So the problem is that you are actually redirecting to an existing web HTML page. Don't do that, instead serve the HTML with Python itself.
# pages.py
class DefaultPage(object):
def __init__(self):
self.html = '''
All Your HTML Here
'''
def self.display:
return self.html
Obviously your using something to serve your Python, I'm assuming something simple like Google App Engine Launcher, in which case you can just write the class. Even if your using some other simple WSGI, the concept remains the same.
# main.py
import webapp2
from pages import DefaultPage
class MainHandler(webapp2.RequestHandler):
def get(self):
page = DefaultPage()
self.response.write(page.display())
app = webapp2.WSGIApplication([
('/', MainHandler)
], debug=True)

The best method to handle user login is to use tokens as cookies.
After the user successful login generate a token and send it to them , save this token in your "in memory" DB(if you are using something like django server)- https://docs.djangoproject.com/en/1.9/intro/tutorial01/ , it does it for you.
Each time the user access any internal page in your website check the user token which have been sent as a cookie header , if is found in your DB direct him to the requested page , else , direct him to the login page.
I can help you more if you give more details about your server(server type)

What you just asked for is called Session Management. Here's the OWASP guide on it: https://www.owasp.org/index.php/Session_Management
You can use frameworks like Django written in python which already provide this security layer. https://docs.djangoproject.com/en/1.9/topics/http/sessions/

You have to add CSRF protection to disallow form submitting from untrusted sources. Dive into What is a CSRF token ? What is its importance and how does it work? question to understand how it works, also you can take a look on How does a CSRF token prevent an attack.
You can implement own csrf protection logic or use existing one like Django CSRF or Flask CSRF Protection etc.( it depends on technologies used on your project).

Make sure to check the "referer" header in Python, and validate that the address is your login page.

Related

Obtaining Request Headers Clientside

I'm working on making a login page with for SSO. The flow is that a user goes to an outside application, the application redirects to my login, which then recognizes that it's received a jwt authentication request, I authenticate the user and then redirect with a new token that I generate.
My question is, am I receiving a token in the request when the outside application redirects to mysite.net/login, or am I supposed to pick up the query string and recognize it?
I tried it for myself and it went to mysite.net/login?return_to=%2F
Are they sending me a token (like how I normally do serverside) and if so, how do I access it?
Here's the documentation in question: https://support.aha.io/hc/en-us/articles/203636345-Idea-portal-single-sign-on-JSON-Web-Token-JWT-
window.location.search gives you access to the entire "query string", which is the name of the thing you are talking about.
Here's a Stackoverflow answer that demonstrates how to pass it: How can I get query string values in JavaScript? But there are probably a whole lot of NPM packages that do the same thing. Or you could do a very simple regex / replace string.

NodeJS Routing - Post Login - with JWT and jQuery

I have seen more examples than I can count of how to build an NodeJS api with JWT, however, I have not seen anything on how to use the token when navigating your page via the routing.
I have the JTW authentication working. I am returning a token to the user and saving it in cookies and local memory. The part I am stuck on is the proper way to use that token when trying to navigate to other URIs on my site.
For example, when the user goes to my main page (mySite.com), they will be presented with an awesome picture and a login form. They successfully log in, get the token, but now the site needs to forward to mySite.com/home. If I am not using any fancy tools, just jQuery GET/PUT/POST/etc, how is this done?
Currently I make the original PUT, sending the username and password, which if successful it calls a jQuery callback that takes the returned token and saves it in the cookies and then makes a GET call (with the token) to get the "/home" page html. The GET returns the HTML which I then call $('body').html(response) to render that HTML. The only problem is that I am still at the URL mySite.com, not mySite.com/home.
If I try to do a redirect in the backend of the frontend, my JWT blocks it because I am not passing the token with it. Is there a way to do a redirect with a JWT or something?

Symfony3: Adding extra security before loading login form

I have been creating web application using symfony 3, and I've been requested to add an extra layer of security. I need to check for a key (or token) before loading the login page.
I've been reading the docs, but majority apply only for the login page. The key (or token) is provided by a custom backgroun app and when the user tries to load the login page, the app passes the key via javascript.
So, I'm looking for a way to first look for the key, compare it to a key stored in my database (may be security.yml). If the key matches, then load the login page (key is no longer needed after this).
Is there a way to do this?
Edit:
Optionally, may be is there was a way to grab the key (that is being passed via javascript) and then instead of connecting to the database, compare the key in Twig. So, using Twig to get the key?
Think about security layer like this , user have hardware tokens like yubikey.
https://www.yubico.com/start/
then you install bundle like this
https://github.com/pmdevelopment/yubikey-otp-bundle
and with that you can create 2FA hardware based security layer (you have service for youbikay auth - you can authenticate user with this at any time - depend on your need .
If I understood correctly your specs, you could:
Load the page without the login form
Do an AJAX request that sends the token/key to your server
If the key is valid return HTML for the login form with a hidden input field that holds the value of the token
Validate the token when processing the submitted form
Since 4 is usually done automatically you will have to hook in via a listener, or just submit the login form to a controller and log in the user "manually".

Static HTML page in Flask while redirecting

I have a Flask app that takes in a url, does some logic and redirects the user to another url. I'd like to just generate a static html page that basically says "please wait" while the logic is executing.
Is there a nice way to do asynchronous stuff like this in jQuery?
app = Flask(__name__)
#app.route('/stuff/morestuff/')
def stuff():
#can I load html here without a return()?
#request.args input url, calls out to api, generates new url
return redirect(url)
It doesn't work that way. When an HTTP request is made to your server, the server gets to send back one response. That can be a success, a redirect, or several other types of responses. There is rarely a reason to do what you're describing because responding with a redirect is typically a fast operation.
However, if you really want to achieve that sort of behavior, you would need to respond with a success and have the page with which you respond take care of handling the redirect using javascript. At this point, you could perform all the logic client-side using JS, or use AJAX/websockets to communicate with the server for additional information while the user is told to wait. Keep in mind this method requires the user to have JavaScript enabled, which should not be necessary for a simple redirect.

Send token stored in cookie to server and get boolean return

I dont know if this is even possible to do. I have searched a lot on the web with no big help to prove that it could work.
What i want to do is to grab a token saved in a cookie. Then put this cookie in a freemarker function call. So then the server will reply true or false. Depending on if the token is valid or not. If it is valid the content will be written.
<#if (object.somefunction (GrabTokenAndSendIt) )!false> Show Content </#if>
Is it possible to do something like this? Im new to freemarker. So any tips is helpful here.
I use the following command in javascript to grab the token from the cookie
localStorage.getItem('userToken')
FreeMarker doesn't prove anything to access HTTP or servlet related stuff out of the box. It's up to the web application framework to expose such things to it, if it wants to, but usually it shouldn't. FreeMarker is mostly used as MVC View, and as such, it shouldn't deal with non-presentation issues like cookies. You should check that cookie in the MVC Controller, then put into the date-model (aka. template context) if the visitor is authorized to see that conditional content or not.

Categories