I am currently writing a NodeJS application based on Sails.JS, and I'm using ntlm-express for NTLM authentication. This works perfectly fine when the authentication succeeds but in cases where it fails (for example, a Firefox user entering wrong credentials) ntlm-express returns a 500 error code, FireFox stores the credentials in its cache and the user is unable to login to the web app at all, since he's not getting a new prompt to enter credentials. The only way for the user to log in is to manually clear the authentication cache in FireFox and try again.
What I'd like to do is in cases where ntlm-express fails to authenticate the user, to prompt him again for credentials instead of returning 500.
Has anyone done something like this and can point me in the right direction? I found very little information online regarding this topic...
For anyone who runs into a similar issue, I managed to solve it by overriding the express-ntlm forbidden function to return a 401 instead of of 500 and editing the default Sails unauthorized.js response to also return a "WWW-Authenticate: NTLM" header.
That way I am forcing the client to retry NTLM negotiation until he gets it right...
Related
I'm trying to scrape the movements of my bank account with Puppeteer, with a simple script that I run from VSCode. But the login always fails, even though the user and password are 100% correct.
After lots of HTTP requests testing, I found out the culprit is one cookie called _abck provided by the server when visiting the login url:
If I visit the website using Chrome and copy paste that cookie, the login requests work perfectly:
However, if I try to use the same token fresh from Puppeteer or Axios... it fails with a 403:
I have even tried this: running the code and when Chromium appears, I open a new tab, go to my bank's website, get the cookie from devtools, paste it in a request and fails the same way. I'm puzzled.
Why? How can I get a working _abck token programmatically?
I'm currently playing around with a KnockoutJS SPA template in ASP.NET Core 2.1, and I managed to implement an authorization flow exactly as this one which was made in Angular:
https://fullstackmark.com/post/13/jwt-authentication-with-aspnet-core-2-web-api-angular-5-net-core-identity-and-facebook-login
As you can see in their User front-end service, basically the only check for whether the user is logged in on the client side is the check if the "auth_token" key exists in the client's local storage:
https://github.com/mmacneil/AngularASPNETCore2WebApiAuth/blob/master/src/src/app/shared/services/user.service.ts
this.loggedIn = !!localStorage.getItem('auth_token');
// ?? not sure if this the best way to broadcast the status but seems to resolve issue on page refresh where auth status is lost in
// header component resulting in authed user nav links disappearing despite the fact user is still logged in
Simply put, anyone can open up the browser local storage and insert a random string with the "auth_token" key and they'll be able to see everything admin-related in the UI (even though they will fail on API requests).
Can someone suggest a better flow for this? Or is the only option to send a "log in request" to the API, whenever an admin page is "opened"?
P.S. I am relatively new to the authentication schemes front, should JWT perhaps not be used for client-side content validation?
Considering JWT best practices, all your validations should be done in your back-end, since any validation coded in your web app could be read by any of your clients, resulting in a huge security flaw: anyone would know how to create a valid JWT for your application.
Is it a big problem to be possible to see your admin-related UI, even without any data? Considering that all of the routes which can return sensitive data are protected by JWT authorization, if a user access any pages or parts of your UI which require data, they would trigger a request to retrieve it, which would probably return a 401 (Unauthorized) HTTP status, or similar. A common front-end practice in these situations is to erase client user data, and redirect to a login page.
So, a typical flow would be:
User inserts a fake access token into their storage
User opens an admin page/ui which uses sensitive data in any way (showing, using for any internal logic, etc)
Web app does a request to the API requesting data
API returns a response which will be interpreted as an authorization error
Web app receive the API response, erase user access token and redirect them to its login page
In most cases, this entire flow will happen fast enough to block your user to further interact and explore your web app.
Would be better if you provide more information about your scenario, so anyone could understand if your worries are something that needs to be considered and truly solved. However, in most cases, the behavior above is accepted.
I am developing a web app and I'm using Firebase for that. Since I do not have a domain name yet, I'm trying to use my localhost. I can see localhost in OAuth redirect domains. Also the initializing part is working fine.
But when I create a user using firebase.auth().signInWithEmailAndPassword it shows [HTTP/2.0 400 Bad Request 447ms] when posting to https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword.
I'm new to web app development and Firebase web as well. Somebody please help me to do this using my localhost.
Thank you
You can create a user using firebase.auth().createUserWithEmailAndPassword(email, password). The email must be in a valid format. Don't forget that the password must be strong enough. Firebase returns auth/weak-password error code when using a weak password (less than 6 chars).
See also:
https://firebase.google.com/docs/reference/js/firebase.auth.Auth#createUserWithEmailAndPassword
I want to test flow using Protractor which occurs after login page, can I bypass or skip or avoid login while testing that flow?
One option would be to instead of opening a fresh browser instance each test, you open Firefox loading the Firefox profile previously saved when you was logged in. Aside from many other things, the profile contains cookies, that are usually used for login session validation:
log in to your application via Firefox
open Help->Troubleshooting Information->Profile Folder->Show in Finder (for Mac OS)
copy the path to the profile
use setFirefoxProfile HowTo to learn how to load this profile every time you run your tests
You can always mock the login, where details will depend on how the login is implemented.
If it is the session or key returned by the server, you can mock the server response by supplying that key, that will be accepted by your front end code, as if there was successful login.
When I use the FB.login function from the JavaScript SDK and I am logged in on Facebook with my developer account the popup appear and everything is fine. If I'm logged out or logged in with another account the page won't load and gives me an error
HTTP Error 500 (Internal Server Error): An unexpected condition was encountered while the server was attempting to fulfill the request.
In my app settings the sandbox mode is off so this shouldn't happen right?
I am hosting my website locally, don't know if it matters.
Thanks for your help.
Same error just now popped up for us. Resolved it:
We found we still had a Facebook SDK API Key in some of our configuration which was being used for some of our log-in screens.
If you're still using an API key with your javascript SDK, try using your app ID instead. You can find that in the settings for your app here: https://developers.facebook.com/apps