Where would I find info about creating a user login system using meteor.js? Is there an existing library that I could use?
UPDATE 4: And Meteor now has full support for accounts, users, etc
see http://docs.meteor.com/#accounts_api
UPDATE 3: Since v0.5.0, Meteor supports authentication
and allow/deny rules on collections.
See http://docs.meteor.com/#allow for info.
Thanks, #Dan Dascalescu !
Update 2: As Greg points out, you actually can lock down the CRUD
methods by overriding them with empty functions (more info here:
https://stackoverflow.com/a/10116342/1180471). So while I assume the
auth functionality will make things simpler, you can already roll your
own with relatively low effort.
Original answer kept for historic purposes:
AFAIK meteor doesn't provide a way to do this yet since there is no way to lock down (part of) the database, so for the moment the only way to do it in a secure way is to bypass meteor and either:
- drop down to node and use a seperate database or authentication API
- use HTTP authentication
I imagine this is pretty high up on their todo list, though...
Update 1:
They already started implementing, you can see the code in the livedata-auth branch:
https://github.com/meteor/meteor/compare/master...livedata-auth
In the meantime, Meteor has implemented a full authentication and user management system, complete with a UI for easy login using popular OAuth services (Google, Facebook, GitHub, Twitter, Weibo).
It actually isn't too hard to do some simple auth in meteor. The blogging system britto has it setup. Essentially you, restrict the database from the client, then use an api key to make requests to server side methods.
restricting client db access: How do you secure the client side MongoDB API?
britto server code: https://github.com/jonathanKingston/britto/blob/master/server/server-britto.js
in the britto source, take a look at the methods create user and login user
You can find a working example of a user login system I've created for Meteor over at https://github.com/matb33/meteor-userauth.
You'll need Meteor > 0.3.5, so as of this writing you'll need to run the devel branch of meteor.
And you can also build a custom login system with Meteor very easily.
See my notes: http://meteorhacks.com/extending-meteor-accounts.html
Related
We want to create user on plone from my java application, so how do I do that?
Have gone through https://github.com/plone/plone.restapi, but have not getting clear view.
I want to use REST client in java which can call on plone to create, update, delete, get user.
So can I get any example how to manipulate Plone users from my java application?
There is also availability of Json API, XML-RPC,Plone API(not suitable in our java app) but again for user manipulation it won't suits our requirements.
Thanks.
plone.restapi is still in pre-alpha stage, therefore not all features have been implemented. Unfortunately there is not user/group endpoint yet.
If you need one now I'd recommend to create your own with plone.rest. Or even better create a pull request for plone.restapi, so we can include it in the upcoming release.
I created a feature request on the repo where we can keep track of the progress:
https://github.com/plone/plone.restapi/issues/120
UPDATE: I implemented a basic #users endpoint:
https://github.com/plone/plone.restapi/pull/121
Background: This is my first standalone web development project, and my only experience in Meteor is building the Discover Meteor app over the last summer. I come from about a year of CS experience as a side interest in school, and I am most comfortable with C and C++. I have experience in python and java.
Project so far: I'm creating a calendar management system (for fun). Using accounts-google, I have created user accounts that are authenticated through google. I have requested the necessary permissions that I need for my app, including 'identity' and 'calendar read/write access'. I've spent the last week or so trying to get over this next hurdle, which is actually getting data from google.
Goal: I'd like to be able to make an API call to Calendar.list using a GET request. I've already called meteor add http to add the GET request functionality, my issue comes with the actual implementation.
Problem: I have registered my app on the developer console and set up Accounts using the client ID and secret, but I have not been able to find/generate my 'API key' for use in the request. Here is the google guide for creating the access token by using my (already) downloaded private key. I'm having a hard time wrapping my head around an implementation on the server side using JS because I don't have a lot of experience with what is mentioned in the HTTP/REST portion of the implementation examples. I would appreciate some help on how to implement a handshake and receive an access token for use in my app. If there is a call I can make or some package that will handle the token generation for me, that would be even better than implementation help. I believe an answer to this would also benefit this other question
The SO answer that I've been referring to so far: https://stackoverflow.com/a/14543159/4259653 Some of it is in spanish but it's pretty understandable code. He has an API key for his request, which I asked this question to help me with. The accounts-google documentation isn't really enough to explain this all to me.
Also an unrelated small question: What is the easiest way to deal with 'time' parameters in requests. I'm assuming JS has some sort of built-in functionality that I'm just not aware of yet.
Thanks for your research. I have also asked a very similar question, and right now I am looking into the package you recommend. I have considered this meteor-google-api package, but it looks abandoned.
Regarding your question about time manipulation, I recommend MomentJS. There are many packages out there; I am using meteor add mrt:moment
EDIT: MomentJS now has an official package for Meteor, so use meteor add momentjs:moment instead of the mrt command above
Below is a snippet of what moment can do. More documentation here.
var startTimeUTC = moment.utc(event.startTime, "YYYY-MM-DD HH:mm:ss").format();
//Changes above formatting to "2014-09-08T08:02:17-05:00" (ISO 8601)
//which is acceptable time format for Google API
So I started trying to implement all of this myself on the server side, but was wary of a lot of the hard-coding I was doing and assumptions I was making to fill gaps. My security prof. used to say "never implement encryption yourself", so I decided to take another gander for a helpful package. Revising search criteria to "JWT", I found jagi's meteor-google-oauth-jwt on Atmosphere. The readme is comprehensive and provides everything I need. Following the process used in The Google OAuth Guide, an authorization request can be made and a key generated for making an API call.
Link to Atmosphere: https://atmospherejs.com/jagi/google-oauth-jwt
Link to Repo: https://github.com/jagi/meteor-google-oauth-jwt/
I will update this answer with any additional roadblocks I hit in the Google API process and how I solved them:
Recently, I've been running into problems with the API request result. I get an empty calendarlist back from the API call. I suspect this is becuase I make an API call to my developer account rather than to the subject user. I will investigate the problem and either create a new question or update this solution with the fix I find.
Fix: Wasn't including the 'sub' qualifier to the JWT token. Fixed by modifying JWT package token generation code to include delegationEmail: user.services.google.email after scope. I don't know why he used such a long designation for the option instead of sub: as it is in the google API, but I appreciate his package nontheless.
I'm quickly becoming proficient in this, so if people have meteor-related google auth questions, let me know.
DO NOT USE SERVICE ACCOUNTS AS POSTED ABOVE!
The correct approach is to use standard web access + requesting offline access. The documentation on the api page specifically states this:
Typically, an application uses a service account when the application uses Google APIs to work with its own data rather than a user's data.
The only exception to this is when you are using google apps domain accounts and want to delegate access to your service account for the entire domain:
Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority"
This makes logical sense as a user must be allowed to "authorise" your application.
Back to the posters original question the flow is simple:
1) Meteor accounts google package already does most of the work for you to get tokens. You can include the scope for offline access required.
2) if you are building your own flow, you will go through the stock standard process and calls as explained on auth
This will require you to:
1) HTTP call to make the original request or you can piggyback off some of the internal meteor calls : Package.oauth.OAuth.showPopup() -- go look at the source there are more nifty functions around there.
2) Then you need to create an Iron router server side route to accept the oauth response which will contain a code parameter that you will use to exchange for tokens.
3) Next use this code to make a final call to exchange the "code" for the token + refresh_token
4) Store these where ever you want - my requirement was to store them not at the user level but multiple per user
5) Use a package like GoogleAPI this wraps up Google API calls and refreshes when required - it only works when tokens are stored in user accounts so you will need to rip it apart a bit if your tokens are stored somewhere else (like in my case)
I'm working on a chat app with Meteor and I want to be able to ban people. I have Meteor accounts-ui installed but I don't really know where to go from there. Does anybody know how to set up a blacklist of some sort to ban people from my website?
I've found this two packages on atmosphere, maybe they can help you to do what you want.
Roles: Role-based authorization, compatible with Meteor's built-in accounts packages. Includes example app, unit tests and online API docs.
Groups: Simple system for authorization groups.
You can attach arbitrary data to a user object, so you could just set user.banned = false in Accounts.onCreateUser and check Meteor.user().banned server-side when someone sends a message. The hard part would be building an admin UI to ban a specific user; there isn't baked-in support yet for administrative backends, so you'd probably have to hardcode your own email address as an administrator and only show the admin UI if the current user has that email.
I read this at the docs:
Database Everywhere. Use the same transparent API to access your
database from the client or the server.
This is great, but I think there are some security issues. Providing full and transparent access to the database at client side you are exposed to bad users, which modify you JS code (it's really at his browser and he can do it) and add any database action that could retrieve/remove/update data that perhaps could be sensible.
Please, correct me if I'm wrong.
Thanks!
You are correct. The developers are currently working on Auth and security concerns. As of now everything is open and great for creating prototypes and test apps however they are vulnerable to users retrieve/remove/update data as they like.
See the developer response to this question here: Link
Meteor now includes restrictions on client database writes (allow and deny) and a complete user accounts system.
Secure your app by removing the insecure and autopublish packages:
meteor remove insecure autopublish
I have two asp.net projects at the different domains. These projects use one database.
Let say www.test1.com and www.test2.com. (Late will be more projects)
I already have registration form and registered users.
Now I need to implement SSO possibility without registration at the external sites (google, openId, facebook).
All implementation which I have found required external registration (CAS, Federation, Facebook, openId).
Also I have read this article http://www.codeproject.com/KB/aspnet/CrossDomainSSOExample.aspx, but as far as I understood from comments such solution very insecure.
Please suggest solution or existed library which can help me to use SSO without external registration.
I needed the exact same solution for a client I was working for, I did the research and the only good solutions that I found where either too complex and not well documented or too expensive (I forgot which companies I looked into). So I decided to build a custom solution.
This is a short summary of the solution implemented:
In order to make things more clear let's call "nodes" the domains where you wanted to authenticate a user, and "SSO" the provider of the authentication.
I used a solution that is similar to the one in the link you posted HOWEVER I used the Asp.Net security cookie whenever I wanted to authenticate a node, and also to authenticate the SSO website:
HttpCookie formsCookie = FormsAuthentication.GetAuthCookie(userName, false, HttpRuntime.AppDomainAppVirtualPath);
HttpContext.Current.Response.Cookies.Add(formsCookie);
This also allowed me to not have to query back the SSO provider for each web request as the example you posted seem to do.
I used a new AuthenticationKey for each time I wanted to communicate from the SSO provider back to the node that the authentication was successfull.
Also I added some security features like encrypted communication and that the key could only be valid a max of 2 seconds (the time for the SSO to pass it to the node) and as soon as it was used it would be deleted.
I believe this solution is safe enough, however using an external ready made solution is surely safer.
It took me only a few days to implement the whole solution, so it's not too long of a task. However I cannot share the project as I am not sure the client would agree.
I hope those suggestions might help you.
Let us know what you decide to do in the end.