I am currently attempting to develop a quick tool that would allow me to check my cellular plan balance (carrier being MetroPCS). To do this, I need to be able to login to the metro website with a library (like python requests) that does not render javascript. While checking the post request for the login form on metro's website, I noticed that the password field (labeled "verificationValue") seems to be encrypted. This obviously means I cannot login with a plain text password. Encrypted pin number
I have attempted to look up ways to somehow trace back the javascript that may handle encrypting the password field before it is sent as a post request but was unable to find anything that I could understand.
you should try to find a way to interact with the service directly, bypassing the login form. For example, you might be able to use an API provided by the service to check your balance, rather than logging in to the website
What is the difference between using Google OAuth and signing in users at the frontend of the application, and signing in users at the backend side of the application?
Example: Signing in users and getting the ID and a auth object in React or letting Node/Express handle everything, the prosess, redirecting and store it in a database.
Is there any advantages for one or the other methods, which are most common and are there any "rules"?
What is the difference between using Google OAuth and signing in users
at the frontend of the application, and signing in users at the
backend side of the application?
So to clarify to everyone reading this, signing in users at the backend side of the application is another way of saying OAuth for servers and signing in users at the frontend of the application is OAuth for JavaScript browser applications such as React.
Signing in users via OAuth for servers and browsers results in a 'token' that a server/browser can use to make requests on behalf of the user. We are asking the user to provide us access to their information via an outside service provider such as an email address, identification of some sort and it will be inside that token as well as some possible permissions that allow us to take actions on behalf of that user.
Is there any advantages for one or the other methods, which are most
common and are there any "rules"?
Server-side OAuth is usually used when we have an app that needs to access user data when they are not logged in. So if you are attempting to build an application that needs to access the users email every ten minutes and possibly delete emails on the users' behalf, you would want to be able to access their email account every 10 minutes regardless of whether they are logged into our application. So for this use case we want to make use of Oauth for server.
Otherwise, if we are not trying to do anything on behalf of the user except sign them into our app, then we can just go with OAuth for browser.
Those two things are very different. Without knowing the specifics of what you're trying to accomplish, you should know as a general rule that front-end-only authentication and authorization leaves you extremely vulnerable.
If someone knows JavaScript well, or is using editing plugins, or any of a million different things, they can bypass much front-end authorization. Or they could just watch to see what calls your app makes to the back end, then simulate those calls from something like Postman, bypassing your web front end entirely.
If you're not securing your backend, you're not secure. Typically systems do both.
It is just a different ways of registering users to our website.
Signing in users at the frontend using OAuth can be very handy as it enables our users to not go through our boring forms in our website. Using OAuth is just one click away from registering users in our website. Beneficial to both the clients and developer.We are provided with the general information about clients by the provider(google,facebook) just clicking on one button.
Signing in users at the backend side is the traditional way of registering our clients. Here we force our client to fill the forms in our website(which may be painfull if it is a long form) and all the filled data is stored in our database.
So they are both different ways to register clients to our websites. Both are used very often. It depends on usecase and needs. Oauth can be used if you want to attract more clients by registering them just by one click.
I have a .NET Web Api. I want to consume from webs and Mobile Apps, but I don't want the user to sing in or create an acount. Can I make an authentication from IP or domain name or something similar?
I tried to implement a Basic and Oauth Authentication, but don't want to place the plain text with the user and password in javascript webs cause everyone can see it and I can't find a secure way that don't need to ask the user to loggin.
Do you have any ideas?
Edit:
I know that I can use google or facebook account or my own users database... the problem is that i don't want the user to insert their loggin parameters and i am searching a secure alternative to restrict the use of the app.
I am building a website that will require the user to enter a zipcode to navigate to any page that is not the home page. The zipcode will be sent to a database via an html form.
Would this be an occasion to use HTML5 local storage?
My idea is to use javascript to capture the zipcode the user enters into the form. When the user navigates to another page I could prevent a page load unless there is a zipcode present in local storage.
There is possibly another option, but I'm not sure it is a good way to go: HTTP Authentication with HTML Forms. This is authentication, but I'm not really looking to authenticate based on a specific username/password. I just want someone to enter a valid zipcode.
These are just some ideas I had on how to accomplish this goal. Would either of these work? Is there an alternative, better way to do this?
Environment: Orchard CMS (.NET MVC)
I have developed a multi-page Javascript web application. My clients have asked me to provide a login page. They do not need anything fancy and requested a single username and password that they can share with those who need access to certain featured within the application. They want anybody to be able to see the application, but only authenticated users can use certain tools within the application.
I currently use an ASP.net proxy page (.ashx file) for handling requests to and from a 3rd party server storing the data consumed in my application.
I've never created a login system and have no idea where to begin. I don't think I need a database for login information because there will only be one username and password.
How could I go about securely storing the username and password to authenticate with the user-submitted login information and enabling parts of the application based on whether a user is authenticated or not?
The good news are that you don't need to build the login system, Microsoft did it for you. This is called the Membership System. All you need to do is expose this API to your end users.
And it's a bad idea to have a single credential for everybody. It is better to assign unique credentials to each user.