I'm trying to figure out the best way to authenticate a Firebase request with a server side API endpoint using an existing session held with the user on the client app.
Let's say want an endpoint called generateKey that writes a generated key to a users Firebase profile object that only an authenticated user can write too:
http://example.com/generateKey?id=qwerty123
The user has a pre-existing authenticated session with the target Firebase through the client app. The user needs to generateKey through this endpoint. I could pass the auth.token as a parameter to the API endpoint like:
http://example.com/generateKey?id=qwerty123&token=abc123
And then use ref.authWithCustomToken(TOKEN) in the route handling the API request server side.
This method seems to work but is this the right way to do this?
Related
Long winded but I'm using Googles Youtube v3 Data API node.js package to sign in users and view playlists and such. Currently when a user successfully logs in with googles Oauth redirect flow a route server side is called which passes in a code by url query parameters. I'm able to parse that out, generate a token with my oauth2Client and then create a signed jwt. Right now I redirect the user to a url that has the signed jwt as a url query parameter which is then parsed out browser side and stored as a token in the local storage, this is my first time using anything related to jwts and want to be certain that I am doing things in a secure way. Being such I'm not entirely sure that how I am sending the token server side to client side is the proper way and not quite sure where to start looking.
You can pass in response like res.cookie(key, value)
There are multiple way to pass token from server side to client side
1) you can pass token in your response
2) you can pass token in response header
It is not the right way. If the server is responding to an XHR request (coming from javascript), then the server can send the JWT in the body of the response. If the server is responding a regular browser request (GET or POST, but not handled by javascript), then it's easier to just put the JWT in a cookie.
I have a React app with backend API written in Express (all /api calls are proxied there).
Upon successful user authentication, I will be generating a session ID and storing it somewhere on the client side so that I can later authorise requests to the API.
What is the best practice of implementing this architecture on the Express side? Shall I just send the session ID along with the body of each API request and then precede all backend calls with an authorisation mechanism? Or is there some better/easier way of doing this?
My intuition would be to take two steps.
On the client, set up your HTTP client to pass the sessionID as a header. You can set custom headers using an HTTP client like axios or, in ES6, fetch, and apply those headers to every request send to your Express API.
Set up a middleware function on your app that will run on every request received by the server. Express has an easy way to do this using app.all("*", yourAuthFunction). You can also take a look at app.use for applying a middleware to more specific routes. This will ensure that your sessionID gets verified on the server before any data is sent in response to the client. Of course, you'll have to write the auth function to work how you'd like.
Good luck!
When the user successfully authenticated (it should auth' anytime the page loads), a response should be sent to it (contains the session token).
Every other request should be authenticated with the session token that received on the authentication response.
You can store this token value into hidden input <input name="session" type="hidden" />
So I'm unsure of the practicalities of authentication on a SPA, as I try to get used to my new stack of choice.
I will be serving a Node/Express app, with all API routes on /api, and the frontend served on the root / (all routes will serve index.html, then the client-side routing will take care of the rest. So I have the backend authentication set up with the Passport library, which works well. But how does one keep the server and client sessions in sync? As well as taking care of security.
If I make a POST request to /api/login with credentials, what do I return in the response to the client? And where is the session set?
My frontend is Vue, so I assumed I would just pass the user data (if credentials are correct) to the instance and have a user object. But I'm guessing I need to store a token of some sort? (jwt?)
If someone could clear up how this client-server architecture works, that would be great.
Cheers.
Whenever user logs in with credentials you can send a JWT Auth Token and then store the token as Cookie/Local Storage.
Then send the token as Authentication Token in each request as Request Header/Data to validate the user.
Link: Here is a tutorial with NodeJS
The story is, I have 2 potocol in my sails.js server, this sails server is only for API access, and some API are MUST logged-in to access, the websocket is also running on this server.
In the sails when I login then put the user data in req.session.me, this will save the user data in session, next time I through http to access then I can get save data from req.session.me.
Reference: http://sailsjs.com/documentation/concepts/sessions
The question is saving data in user session req.session.me through http to access the server then cannot get back req.session.me through websocket to access the server.
Many Thanks!
I work on web application and I want to have live notifications to a user via websockets. These notifications should be received only by a user whose notifications belong to.
I wonder if it's good idea to pass an temporary authentication token (which would be unique for a user) to javascript and the script connects to websocket server and pass the authtoken as a parameter to make a handshake. Is it secure solution to pass auth token to javascript and then login via websocket using this authentication token? Of course web app is secured by ssl and web socket server also.
You can try
User authenticate to Web app Server
Web app Server will generate 1 Key Code for this session ( Maybe Md5 with salt is username) if user are valid
Web app Server send this key to Web Socket server
Web app Server send this key to client-side
Client will send this key to websocket server to authenticate
If socket contained this key -> user is valid -> OK, continue to transfer data between socket and client, Else Web socket server will stop this connection.
It will be secure because authenticate key is unique and SSL will make it be better.
Hope it'll help you. And this was our solution for building a FOREX System : Authenticate via CAS ( Single Sign ON ) and Websocket to send the index data. In our case, CAS server will generate 1 Single Sign On ID, and we use it to validate.