I want to add authentication to existing application that uses Ajax and I am thinking of the best way to do it.
Here is a typical scenario:
First request - ask for a login, proceed to the first screen. This works well.
Session expired.
Since I do ajax and send 2 requests per action (one actual request and one that records the action for statistics/audit) it could happen on one of those. When it happens the app shows me the authentication screen and after successful authentication user is forwarded to the previous request.
The problem here is that I don't want a forward, I want my custom Ajax/javascript handling to get the response and handle it. Is it possible to just pop up a window to authenticate, then when I get the response continue like the session never expired?
I have this in the web.xml :
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/login_error.jsp</form-error-page>
</form-login-config>
</login-config>
Related
I'm trying to get a response header using express js but no way i try is working.
Here is where i set the header:
return res.status(400).header('loginError', error.details[0].message).redirect('/login');
This works and i can see the header in the network tab on inspect element but when i try to access it it doesn't return a value.
I've tried:
res.getHeader("loginError"), res.get("loginError"), res.header("loginError")
Here is my ejs code:
<div class="login-form-error">
<div class="login-form-error__inner">
<span id="login-form-error__span"><%=loginError%></span>
</div>
</div>
<% } %>
I set the loginError var when i render the page:
res.render('login/index.ejs', {
loginError: res.header
});
Any help is appreciated, sorry if this is a dumb question
From your proposed solution, it sounds like you're trying to do a redirect, but send some data with the redirect that will come back to the server when the client requests the redirected URL (on the next request).
You cannot use a custom header with a redirect. The header will go to the browser, but the browser will NOT include the header on the request that follows to the redirect URL. So your server won't get the header back again.
You can send data from one request to the next request from the same client in the following ways:
Set a query parameter on the redirect so that when the browser sends the redirected URL to the server, the data you attached as a query parameter will be part of the URL where your server can look for it and use it. This would be useful for data that is not particularly secret.
Use a server-side session such as express-session. Then, you can set a client-specific piece of data in the session object (which is a unique object for each user), send your redirect response and then when the redirected URL comes back on the next request, your server can check the session for the data (read that data and perhaps clear it).
Set a cookie along with sending the redirect response and then when the redirected request comes back to your server, you can check for the cookie and grab whatever you want in the cookie (and delete the cookie).
Using data in a server-side session is the most secure (as the data never leaves the server) if that's relevant for your particular use case.
You cannot use req.app.get() and req.app.set() because those are global to your server and thus multiple users will compete for the same values causing concurrency problems (where one user's value trounces that from another user or one user gets the data that belonged to another user). This is a buggy experience that will only hit you every once in a while and is hard to reproduce and figure out why things went wrong. Don't do it this way. It's analogous to trying to store data from two users in the same server-side variable. Only leads to problems.
For anyone wondering: Instead of using headers I found that if you use req.app.get(var) and req.app.set(var, value) you can easily send data from one request to another. I don't know if it is a secure way to send store data or not if anyone else has more info on that feel free to respond.
When a user scans QR code in our web page and makes purchase with it (using a 3rd party application), I want to hide that QR code and process the purchase.
I got an API to check whether the transaction was successful or not. My first thought was sending a request to that API every 2 seconds to check the transaction (terrible idea?). But they told us to create something called a "hook" and they would subscribe to it. What's that? How should I implement that?
Hook may generally mean webhook, here is the wikipedia description.
Webhooks are "user-defined HTTP callbacks". They are usually triggered
by some event, such as pushing code to a repository or a comment being
posted to a blog. When that event occurs, the source site makes an
HTTP request to the URI configured for the webhook.
Hook/Webhook
Think a hook as an endpoint, where a user can notify you / giving you information.
The way it work is like a user accessing a url and sending params
your-url.com/hook?order_id=123&status=complete
Warning: Example code, generally a good hook should provide authentication method.
That way your server can interpret that information as
order with id 123 has been completed
That was a basic implementation.
Other easier analogy is:
a user accessing a url and input a form and press submit. To which url the data is sent, that url can also be called hook.
Basically they are telling you to implement a service that they would call when a transaction ocurred successfully, instead of you going to them.
I havebeen having trouble with backend for a while now and Express JS has made it especially hard. However, I think I am to blame, because I've been going at with the approach that it was an MVC framework generator or maybe it was a framework that helps with authentication. But if I am correct, Express JS should reflect a RESTful API for everything. Not just for user sign up (POST) and loggin in (GET).
This is where I am kinda need clarification. From now on, is it best practice to always use RESTful API when interacting with a database? A real issue I had was with a user table and a likes table.
If a user clicks a like button on a photo, I want to do something like:
INSERT INTO likes (user_id, photo_url) VALUES (current_user, url);
What would the approach be to do this? How do I tell the like button to refer to the API? It's not like a signup form, where we give them names. Or do I just go into the Express file and start defining routes?
Yes, you create an express route for each ajax call that you wish the client to be able to make.
Here's the general sequence of events for a Like button on a photo:
User logs in. That creates some sort of state in the cookie that identifies the user (either an ID or more likely a server-side session).
User presses Like button on a photo.
Javascript attached to the Like button in the browser, gets the current photo ID and makes an Ajax call for "likePhoto" with the current photo ID as a parameter for the Ajax call.
The Ajax call hits an Express route that you have previously set up to handle this Ajax call.
If there is no logged in user session associated with this request, then the request is probably denied (probably returns some error code associated with unauthorized).
The Express route uses the cookie to identify the user making the request so it now has the photo ID and the user so it can make the database call to add the Like to the DB.
After the DB operation completes, the ajax call can return a 200 status and whatever response is appropriate.
I have a website and currently I am handing the timeout on client side that is using Javascript, so that I no request is being made I log the user out, but I have seen people on SO suggesting the same approach , and I see a big lapse in it, suppose a user has 2 tabs open.
Tab 1:
www.MYSITE.com/welcome.php
Tab 2:
www.MYSITE.com/edit_profile.php
Now if user is on Tab 2 and he is editing the profile there, Tab 1 is idle that means user will be logged out/shown warning (the way you are handling Idle time).
So that doesn't seems to be consistent, in my thinking it should be on server side, is my approach correct?
One way could be,
In case of Ajax, Whenever you send any request to server, on server you can check if session expired using isset($_SESSION['variable']), send a response SESSION_TIMEOUT & then in ajax callback, check for this response.
If this is found, show user a message 'SESSION expired!' & redirect to initial page (may be login page).
We have a mobile app (built using phonegap) accessing data from a REST API. This rest API has an authorization token specific to us - provided by them after registering with them. Now, we are using the API access URL with the token issued.
E.g. (http://api.something.com/cities/buildings/auth_token=blahblah). We are able to get the data through an AJAX request - which obviously has a SUCCESS and an ERROR callback function.
I understand now that there is an expiry for this session, and this is where I am stuck. My AJAX request fails and the control goes to the ERROR callback after a few mins. In my whole app, I do not have a login screen (I don't want to have one).
The AJAX request is being called on a button click. So, when I click this button for the first time, my data comes out successfully. But when my session expires, I get an error message (the message that I defined in my AJAX error callback).
Here, if I click the same button again, the session gets established and I am getting my data again.
Shortly ->
Step 1. Click the button -> Data retrieval successful
Step 2. Session expires
Step 3. Click the button -> Error message appears
Step 4. Click the same button again -> Data retrieval successful
Now my question is how to handle this scenario? Is my understanding of this particular REST API correct?
My expectation is to eliminate Step 3, Is that possible? Any workaround? Or should the user follow all these steps for sure, everytime a session expires?