I have a customized third party server that handles all the rest apis. I am using Meteor as a middleware where the user logs in and accesses all the pages. All the information in those pages is basically generated using my actual web server (built in Symfony).
So using meteor HTTP.post I send user email and password as params, and my website API returns a json with a success or failure message. On successful login, it sends back a token.
What I am not being able to do is to, as according to this success message, "login" the user on my Meteor app without creating/checking Users collection from accounts.
The flow should be: successful login? authenticate the user, consider it as logged in user and store its token in session (without storing anything on this middleware). error? prevent the user from accessing private urls
I have found various packages, but they all target specific third party servers like:
Facebook with accounts-facebook
Google with accounts-google
GitHub with accounts-github
Twitter with accounts-twitter
Meetup with accounts-meetup
Meteor Developer Accounts with accounts-meteor-developer
Can this be done?
Related
i have built a webapp using angular material and firebase functions + realtime DB as the backend. I am using slack "Sign in with Slack" API oauth flow. All works well and i am able to generate a accessToken in the backend which i can store against the user in the realtime DB. Once that is done i make a redirect call to my angular app on the dashboard page. Currently i am passing userid in the redirect url which i use to drive user to dashboard and show his data.
This functionally works fine but is a big security issue. As i can directly type the redirect url and boom. I am in the dashboard.
So, how do i solve this? What should i be doing in the url redirect that is secure and validates the response is the the result of a valid request?
I am not familiar with the Slack OAuth SDK but in general, this is true for all OAuth providers. Ideally, at the point where you redirect to your callback URL with the slack authorization code and you exchange the auth code for a Slack access token before returning that access token to the client, you call the Slack API to get the Slack user ID with the access token and then mint a Firebase custom token with that uid. You then return that custom token to the client and signInWithCustomToken. Make sure you are checking the state field (which you set when started the Slack sign in) along with Auth code to verify that the flow started and ended on the same device.
I wonder if anyone can help. I'm trying to plan the AWS services that I'll need, and how they hang together, for a web application I'm planning.
Specifically I'm thinking about the user registration and login process using Cognito and DynamoDB.
Users will need to be registered and logged in in order to perform some actions. I'm thinking serverless, so these actions will be Lambda functions fronted by API Gateway. As with many websites, I'd like to use Facebook as the user authentication model. I'm thinking I need:
To create a Facebook application
To configure Cognito Federated Identities with the Facebook app id
To have a DynamoDB table to contain user information
To provide a facility to allow a user to register using their Facebook identity
On registration, create a record in the DynamoDB user info table with user's name, email etc as taken from their Facebook profile
To provide a facility for registered users to login with their Facebook identity
To somehow pass the user token (JWT token ?) on subsequent client requests to API Gateway endpoints
So far I've created the Facebook app and have an application ID. I've created the Cognito Federated Identity for the app and configured it with my Facebook app id. And I have set the Authorisation field for the Method Request for the API Gateway to "AWS_IAM"
Using the Facebook javascript SDK and the AWS javascript SDK, I've put together a very basic page that allows login via Facebook, then creates a new AWS.CognitoIdentityCredentials object with the facebook authResponse accessToken. Lastly it calls AWS.config.credentials.get to get the Cognito credentials. But this isn't really the steps above - it just proves that a user can login with their Facebook id and I can pass it to Cognito.
My specific questions therefore are:
What I'm trying to work out is how to do registration. Once the user has logged in via Facebook, how can I create a user record in DynamoDB?
And likewise, when a user goes to login (rather than register), once the user has logged in via Facebook, how can I ensure they have a user record in DynamoDB? (because if they dont have a record, then presumably they've not registered)
Lastly, how can I pass the user id / token from the client to an API Gateway endpoint?
I'm not looking for code samples etc - just pointers as to whether I'm thinking along the right lines or barking up the wrong tree. A high level of how the various components need to hang together would be great, as would any links or references to similar ideas of concepts.
Thanks
I'm using Wordpress + WooCommerce in combination with the WP-API as a backend for my mobile ecommerce App.
My goal is to offer some social login (via Facebook, Twitter, Google etc.) within the app to register/login and then use the WooCommerce API to receive e.g. all the orders of that authenticated user.
Currently my plan is:
Use some client SDK so that the user e.g. can login using his FB account
From step 1 I get e.g. the users name, email and FB ID which is sent to a custom endpoint for adding the user to the Wordpress DB (like https://github.com/royboy789/wp-api-social-login)
Create a custom endpoint for orders with WP-API (e.g.: .../orders)
Inside the endpoint function check wether the user is authenticated
If user is authenticated, the endpoint returns the user's orders using a WooCommerce API wrapper
(https://github.com/kloon/WooCommerce-REST-API-Client-Library)
But I'm struggling at #3 because I don't really know how to check wether the user is authenticated.
I thought about creating another endpoint that will contact the OAuth authorization server to check the user’s credentials using e.g. Facebook's access token. And if the check is valid, I would create a custom Access Token for my API using some hashing of the userID, email etc. which is sent back to the client app. Then this Access Token is used for every call to my API which then reads out the User ID from the hashed token and returns e.g. all the orders for this User.
But somehow this feels just not right. Especially because this way I'd create an endless living Access Token...
Once you have done #2, the HTTP response from WP will include the auth cookie: see https://github.com/royboy789/wp-api-social-login/blob/master/inc/social-routes.php#L31 in the sample pointed to by the question.
Not sure what HTTP library you are using in the app but if you save the cookies received in the response and just reuse them in all subsequent requests to the server then authentication should be taken care of: you won't need an extra check/access point, as the login/registration automatically logs the user in, and the standard WP cookie checks take care of the verification on new requests.
I have been using firebase chat and firepad for real time functionality in My Web Application which has multiple pages like a forum.
I started using the Firebase SimpleLogin too.I am able to login as a user and get the auth object which has the uid,id etc info.
1)Now if the user traverses to another page(i.e a new url(same application) is loaded ),does the authentication persist ? Ofcourse as we are manually doing the authentication by calling ref.login(),how can we know if the user is logged in when the second page is loaded.Will firebase store any cookie in user's browser or local storage ?
2)If the user is authenticated through firebase and now for for any request to my backend server for a new page ,how will I know that the user is authenticated.Should I be manually handling this by inserting some cookie in the browser or a hidden form field once firebase login happens ?
3)Is firebase Authentication suitable for multi page web application where the html pages and content are served from a back server other than firebase.?
I have checked the below question too.
Firebase JWT Authentication, Continually Send Token?
As long as browser cookies and local storage are both local storage is available on the browser, Firebase Simple Login sessions will be persisted across page refreshes on the same domain. Simply reinstantiate the Firebase Simple Login client via new FirebaseSimpleLogin(ref, function(error, user) { ... }) to restore a persisted session, if one is available.
Using this approach, your callback will automatically be invoked with the login state of the user. Note that you do not need to call .login(...) again to pick up a session, as calling .login(...) will always try to create a new session.
Once the user is authenticated, you can begin writing Firebase Security Rules, making use of the auth variable, which is non-null for any authenticated user, and will contain useful user information (such as user ids) when using Firebase Simple Login. See the 'After Authenticating' section of any Simple Login auth. provider page to see the exact payload.
In the event that you already have an authentication system you'd like to integrate with Firebase, or Simple Login is not sufficient for your needs, you can always generate Custom Tokens with your own custom data. These tokens can contain any arbitrary JSON payload of your choosing, which will be available in your Firebase security rules under the auth variable.
See the Firebase Security Quickstart for more information.
I am writing a small program to retrieve and display Google Analytics information. I keep getting a 403 Forbidden error because of insufficient permissions.
I read on other posts that you have to add the email address associated with the client id you are using to access analytics in User Management.
The client id I am using however is associated with an installed application and doesn't have an email address, it only lists a client id, client secret, and redirect Urls as credentials in the developer's console.
How can I allow access for this client id when there is no associated email address listed in the developer's console to grant permissions to on the User Management page in Google Analytics?
Simply follow Google's OAuth 2.0 guide for installed applications.
Create a URL for authorization like you would for a web app. Only set redirect_uri to urn:ietf:wg:oauth:2.0:oob.
Point your user to this URL and let him authorize your app. Then the user will receive a code.
Prompt the user to enter this code in your app and use it to retrieve a refresh token from Google.
Store the refresh token and use it to get a fresh access token whenever you need one.