I am following the Meteor + Angular2 tutorial to create a test project (for learning purposes, and eventually start something real).
But I'd like to have the app redirect unauthenticated users to a /login page instead of what's described in the tutorial (i.e. restrict resources to authenticated users). Basically, unauthenticated users should not even be able to view the application and always be redirected to a login form. Just like Facebook, for example.
How do I do that?
Related
I have a Wordpress website and a Chrome Extension. If the user logs in on the website, I want the Chrome Extension to be aware of that (and vice-versa). The Chrome Extension won't have a login form in it; the user will always log in through the website login form.
When you log in on the website, Wordpress by default sets its authentication cookies to identify the user. What I initially had in mind: I would also like to return some kind of access token, which I would store somewhere where the extension can find it and use it to make authenticated requests to the Wordpress REST API. But.. where do I store it (in a safe manner) so I can find it within the extension?
Perhaps I should try a different approach?
Thank you!
What you could do, the simpler way:
create an Ajax action or a REST API route
as you can read in the documentation, the authentication is cookie-based. So once the user is logged in from the WordPress login form, the authentication cookie is added to your browsing session
without overrides, the cookie will also be forwarded when using JS HTTP queries (eg ajax)
your route could check something like is_user_logged_in() or wp_get_current_user() like available methods. And return the result (among other things if needed) to your plugin JS
you may need to change the WordPress cookie configuration, so they can be accessed from anywhere (any domain), check this.
Better way:
would be to use a plugin like this to implement REST API Oauth2 authentication
user should be able to login directly from the extension window (need development), and then use a refresh token feature to keep the user logged in.
I believe you may also need to update your actual login form, if its classic or OAuth rest API login, should be able to send back the required OAuth token (access and refresh tokens), to the frontend (then stored in local storage or else) to be used by the extension. To prevent having to log in twice.
So I am implementing this single sign on feature using Azure AD as the authentication provider. My question is : is it possible to register just one centralized application for potentially multiple deployments?
doc
single sign out
I also want this single sign out feature. i.e. if a user log out of his/her outlook account, my app will react to it and also perform a logout.
The doc specify that I need to set the LogoutUrl field in AAD and do the implementation. The problem is I can only fill out one LogoutUrl for each registered application. I tried move this logout url to the reply urls but the endpoint will not fire.(only work when filled in the logout url field)
Scenario: I have one core app for potentially multiple deployments, and they all have their unique urls.
abc.com
abc1.com
abc2.com
The list will go longer, so it is painful if I need to set up the application for each one. Can I get around by just setting one centralized app?
For the redirect url I think I can set up multiple reply urls. Or can I?
The difficult part is the logouturl: AAD only allow to set up one value, so I need to set up a centralized endpoint (logout.com/logout) to receive the logout call, and then redirect the call to the associated deployment. ( a user log out from abc.com, logout.com/logout is fired, it will then need to identify that the logout happens in abc.com, then it direct the call to abc.com so abc.com can receive and perform cleanups.)
For Azure Active Directory, you can have reply urls spanning multiple domains. So that works. You can also use these reply urls as part of your logout process. The logout url setting is optional, as far as I know.
https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}
(How to signout from an Azure Application?)
Remark: Azure AD B2C only supports reply urls within a single domain.
Edit: It seems I misunderstood your question. Do you want a redirect to abc.com when the user logs out from abc.com? use the redirect url. Do you want to clear the session in abc.com, abc1.com, abc2.com when the user logs out from abc.com? This is more tricky since AAD opens up your logout url in an hidden iframe (=> "Front-channel signout", a GET to the designated URL). If you want this to actually clean up all your domains, you need to get creative... not sure what the best way ist. You could try returning HTML that in itself has iframes to all the domains.. but i don't know if it will be properly evaluated.
In Alfresco, I have implemented an SSO servlet filter and an AuthenticationComponent so that login is done via SSO.
Everyone logs in via SSO... except admin users. So, for unauthenticated users my servlet filter redirects to SSO login all pages except for /share/page/type/login and /share/page/dologin.
Problem: Normal users might be able to learn about this path, and start using it instead of SSO, which I don't want.
I could generate a very complicated random Alfresco password for all non-admin users, but it sounds rather low-tech.
Is there a solution to effectively restrict login via /share/page/type/login to only Alfresco users who belong to the ALFRESCO_ADMINISTRATORS group?
I would like to build the following functionality with Meteor:
User goes to the website and is greeted with a login/signup form and nothing else. I don't want the client to have any other information from the server at all. Just the simplest possible login/signup form.
If the user successfully logs in or signs up, only then do I want the full app, with all he templates, etc., downloaded to the client.
Is it possible to accomplish this with Meteor?
I think you have a few of options:
[Hard] Single meteor app
Hook into the node request processing pipeline and do the interception there before the rest of Meteor get's involved. Probably easiest to do this in server.js. Can't use Meteor constructs - have to use regular node and NPM packages but you can write the login tokens to the same MongoDB backend.
[Easier] Two Meteor apps
Write a separate Meteor app that only does the login and writes the tokens to the same DB, then redirects to different URL. Use a reverse proxy to control which app handles which URL.
[Easiest] Wait for server-side rendering support in Meteor core
Guessing it will come sometime early Q2 2014
Haven't tested these but I think as long as the login tokens end up in the user's account on the DB and the root domain is the same, this will work.
== Update ==
Regarding the login app, this atmosphere package provides pre-made login pages (requires IronRouter):
accounts-entry
== Update 2 ==
The 2 Meteor app solution is applicable for a more general, "I want to split my app across different 'areas' ". In the specific case asked about by the OP of a simple login form, we can just use a static HTML page for the initial landing page and not even worry about the 2nd Meteor app. The reverse proxy would route traffic between these 2 endpoints:
a statically served landing page (Nginx, apache, etc)
the real Meteor app
Using something like Route53 and S3 buckets, I think it would even be possible to serve the initial landing page directly from CDN although I haven't worked through it all.
The easiest approach to offer a login screen, then the full app, would probably be to have a static landing page, and login the user on it using Asteroid, a DDP client that you can configure to talk to the Meteor backend. Once the login is performed, you'd redirect to the Meteor app.
var asteroid = new Asteroid("https://example.com/app:3000");
asteroid.loginWithTwitter();
Many modern SPAs redirect to a subdomain after login: for instance, Optmizely and Intercom redirect to app.(optimizely|intercom).com after login, and NewRelic redirects to rpm.newrelic.com. Optimizely knows you're logged in if you navigate to / and shows your username instead of "Login", but NewRelic doesn't bother and just shows "Login". To figure out in the static page if the user is logged into the app, you can check the timestamp of Meteor.loginTokenExpires in localStorage. If you want to automatically redirect users if they're logged in, you could write:
if (Date.now() < Date.parse(window.localStorage.getItem('Meteor.loginTokenExpires'))) {
window.location.replace('https://example.com/app');
}
Be careful with the domains though. example.com won't have access to the localStorage of app.example.com. Also, this means they can't see the landing page again unless they log out.
In your template you can do this:
<body>
{{#if currentUser}}
{{> logged_in_template}}
{{else}}
{{> not_logged_in_template}}
{{/ if}}
</body>
currentUser will only be available if a user is logged in.
{{currentUser}}-docs: http://docs.meteor.com/#template_currentuser
Here is the scenario...
I have a site:
http://internet.com
and I set a token(cookie, something like that) from http://internet.com when a user has SUCCESSFULLY logged in.
I also have http://web.internet.com.
On http://web.internet.com I want to display data to users that have that token/cookie/etc available to them.
Here is the use-case
user logs into http://internet.com (asp.net framework hosted on different server - this is our primary product that requires a subscription / username & login )
user then has access to a section that is hidden from plublic view on http://web.internet.com (wordpress site hosted on goDadday - this site contains a knowledge base that we do not want to make public unless they have done [XXXXX] )
both sites are hosted independently of each other and do not share a common username and password
======
Another scenario is to set up wordpress to allow a specific section as a jsonp response. but only if the user is logged in at http://internet.com to allow the user to have access to the jsonp response located at http://web.internet.com
Any ideas from you beautiful people?
It really depends on the level of security you require. You can log a user in to a Wordpress site without a password by using wp_set_auth_cookie, however if you are just validating that a user is logged into the ASP.NET site and then using JSONP to load a page that set's the auth cookie, it will work, however you definitely have some security gaps.
A better solution would be to set a domain level cookie for .internet.com with a token that can be read by any server in your domain. The Wordpress site could then check is_user_logged_in(), and if not take that cookie value and make a back end call to the ASP.NET site to verify its authenticity, and then call wp_set_auth_cookie(). A simple web service would likely be the best option. You would still need some level of mapping between usernames on the ASP.NET and Wordpress site however to know which user_ID to pass.