I have a form where the user will enter the AWS Account Name, AWS Access Key, and AWS Secret Key and click submit to add the information to a table in a database. How would I validate the keys prior to them being added to the database?
The only reliable way to confirm not only the format, but also the validity of the keys, is to perform an operation using them.
Do something simple with the EC2 API that requires all three factors prior to storing them in the DB.
On a side note, please be sure you properly secure this database. If it is compromised, so will be as many AWS accounts as you store the credentials to.
Related
I'm quite new to firebase and I am looking for best practices using it, maybe I will be able to get some advices here.
What I want to do:
User login using firebase.
Problem:
I save user info in firebase but use SQL server as database where I need that user information as userId
Question: How should I approach that?
Register user on firebase and when I get response with userId and token, save it to my sql database too?
what's my current approach:
At this stage we're thinking of creating new users via admin panel (and then these users can sign in)
Would it be good approach to add user to sql database, send email to finish registration (create pasword) and then add this user to firebase, and with response send request to my backend where I update user that he's verified, add userId and token?
It's very common to store additional information about Firebase Authentication users in your own database. Whether it's good in your use-case is subjective, but it's definitely common.
Assuming that you have a server interacting with SQL server on the user's behalf, be sure to pass the ID token from the client to the server, decode it there, and then use the UID (and other claims) from that token in your database interactions. Don't allow the user to just pass their UID, as that'd be a security risk.
For more on this scenario, see the Firebase documentation on verifying a user through their ID token.
Your approach with an admin panel is a common first approach, but not something I'd recommend. Since you'll need to allow the user's to sign in with email/password, there is nothing keeping them from calling the createUserWithEmailAndPassword API themselves on your project. So I'd recommend leaving the creation completely to the clients, and save yourself from having to consider that an abuse scenario.
If you want to control what users an access the data, store a list of email addresses (since you seem to associate that with uniquely identifying a user already) in the database, and check the email address in the ID token is in the list (and is marked as verified in the token).
I am making a website with login and registration facility using firebase. I have used firebase "Authentication" database to store the registered users.However, "Authentication" database doesnt store anything other then emailid, password and an auto generated UUID.
I need to store more data like username, profile pic etc for a user. I would be using firebase's "real time" database for the same.
My question is what is the best practise to do the same. Should I use the UID as primary key from "authentication" database and keep it as foreign key in my real time database like below:
Authentication db:
Record 1 - Email:abc#test.com; password:somepassword; UID:UID1
Record 2 - Email:abcd#test.com; password:somepassword; UID:UID2
RealTime db structure:
users
|
|--UID1
|
|---Name:Amanda
|---Surname:Waller
|---age:30
|--UID2
|
|---Name:MyName
|---Surname:Mysurname
|---age:39
Or is it better to use email id as primary key instead of using firebase's auto-generated UID. Because in sql we do not generally use the autogenerated ids as primary keys.
It’s better to use the UID. For one thing, you can’t have periods in keys, so if you use email as a key you’ll have to handle that by replacing them with some other character. Also, some forms of authentication don’t require email, like Twitter. Since you can get the UID easily once the user is authenticated, that’s what I’d recommend.
I faced with such error
Request must contain either a valid (registered) AWS access key ID or X.509 certificate.
While trying to register an user via Cognito in DynamoDB Local. An user registers ok when I disconnect from DynamoDB and I can create an record in db programmatically.
The error comes from the DynamoDB. Please have a look:
http://docs.aws.amazon.com/amazondynamodb/latest/APIReference/CommonErrors.html
I used AWS Cognito to authenticate users in my iOS application. The users of the app will have to enter the email, phone number and their name in order to register and Amazon will be sending a SMS to authenticate the phone number.
All of these are working fine. I have few questions and they are :
1.) I want to know where these data are getting saved ? It's not there in the Dynamo DB (However, I found the list of users in AWS Cognito --> Federated Identities --> Users , but not in a Table inDynamoDB)
2.) Now, once the users are authenticated, I am allowing the users to interact with the application. The first task will be that the users will have to complete their profile. I want to know if in case if an user is NOT authenticated will he be able to complete his profile ? Ideally, he should not be allowed. But is this happening automatically ?
EDIT
1) You are correct, data is not stored inside dynamo for user profiles. Cognito has an internal data store in which user data is persisted. This can be viewed and edited (as an admin) through the 'Users' tab of your user pool.
2) They should not be able to, and it is not happening automatically. The only way to update attributes stored against a user is as an admin (which the user shouldn't be able to do) or with the token that they get from signing in, so what you're aiming for is very do-able.
Can you guy send me a good example that they will verify my userid which it from window login workstation and match a list of userid in table in SQL Server? I am using IIS and they are both in same server but different machine. If my userid is not match one of those userid in table then it automatic prevent me from going in specific website. I do not want login or form. I just want automatic detect my userid before allow me to enter website.
What authentication mechanism are you using on the website? Forms? Integrated? Certificate mapping?
In the end, the authentication mechanism will generate a cookie which you can reference in code via HttpContext.Current.User.Identity.Name.
Your job is to figure out which authentication mechanism you are using and understand what the Identity.Name value is being generated by, since the authentication mechanism controls this and to synchronize the value in your user's table with this value. It does not necessarily need to be the primary key of the user's table; in fact security is slightly improved if you do not expose the primary key of the user's table at all. Any unique key will do; in general I use Guids because I can generate them independently and their sequence is (generally) not predictable.