I am currently building a backend service for a project. I have set it up with auth0 but am having some dificulties wrapping my head around the flow of stuff.
Since their is no front end, how will my backend recieve jwt tokens in my requests?
I know there is a way to get this up so that there is a default one in postman, but im struggeling to put all the pieces together.
I want to create a user DB based on the sub feild of the decrypted jwt token, but am not sure how to abtract it really?
Ive worked on features before, but the set up had always been done by someone else.
I am reading documentation, but don't think I know where to look for the exact answers.
any tips, pointers or links would be greatly appreciated
what I have done:
Setting up Auth0 and Nestjs with auth0's tutorial front end, though it means I cant look into that they've done.
Related
I would like to set up a Steam connection in my Ionic/Angular application with NestJS Server.
I can't find anything to help me.
I am new to NestJS.
I want to be able to call the Steam login page (with:
"https://steamcommunity.com/openid/") and return the connection to me. I want to be able to put a token to indicate that the person is connected.
I find a lot of things in ExpressJS but I can't implement in NestJS.
It's been non-stop day that I try to find solutions but I can't find it at all.
If a charitable person could help me, it would take a huge weight off me.
I am building an api for my first app, which consists of both a web based app grafted onto an existing website, and a mobile Cordova app. I am still something of a noob to concepts of authentication and security, so I am just trying to get an idea of the basics, and want to make sure I'm not missing something obvious. So far here's what I've got:
The server currently is non-ssl. I am registering users by making a POST request to the API with the plain text username and password appended as form data. An api key is then generated for the user which is returned to them, which they will then use for subsequent requests by including it in the header.
OK, so... given that this app isn't handling particularly sensitive data, and I only really care about basic-level security, is this acceptable? Is there any obvious and simple step I could take to improve the above setup?
Thanks.
I'm new to OAuth and I would really appreciate if someone could give me a hand with my problem. I need to create a simple web application for track expenses, with some basic actions (user must be able to create an account and log in, list expenses, edit them, etc) with a REST API for each one, and the trick is that I need to be able to pass credentials to both the webpage and the API. So, after some research I've found some examples using Digest Authentication and HMAC Authentication but lot of posts also mentioned OAuth as an alternative approach, so my question is, given this scenario, would be proper to use OAuth? I mean, as far as I understand OAuth is suitable when you want to share resources with other application, which I'm not doing for this project; besides that, when you try to access the shared resource it appears a page requesting permission for the foreign application, would that page appear at some point in my application? (maybe after the login?)
Thanks in advance guys
In your current scenario it does not make sense to use OAuth. It's not what OAuth is designed for.
If your application ecosystem is going to have multiple webapps running on a single SSO (like google) then it is very helpful to have OAuth.
Suggestion: Decide based on your business/operation plan and implement accordingly.
Note: If you plan to have 10 apps in the span of the next 5 years but only have one app now it does not make sense to spend time to implement complex protocols like OAuth right now. Scale as you grow.
I am using django allauth in a variety of application that i make and its awesome!
Right now, I am trying to develop a login process in two separate steps.
I have a client(mobile) social login with some provider(twitter, Facebook) and the client takes the oauth credentials and sends them back to the server.
That means, that i do not need to use the forms and the templates provided, since all that are handled just fine by the client already.
What i need, is to know what functions/views i need to call in order to avoid all the functions that need the request to work properly.
I hope that i explained in detail my issue.
Thank you in advance,
Michael.
It seems that basic functionality such as user login, can not be done in simple manner: to have username and password field in form on client and based on that to create store.readPathAccess model access rights. Also, how to check if user is logged in to implement access rights on routes?
Based on examples and (poor) DerbyJS documentation, if I understood it correctly, you have to implement login in server module (lib/server/*) because:
store.readPathAccess must be used in server side
you want to store data in model session (which can be read only on server side)
But many questions arise:
if it has to be done on server side, how to get and store client form data on server side without having problem with second item below on the list (I have done it with manually submitting data to server-only route, but can not then save it in model with local key because I have to redirect to client route after that and local model data is lost)
how to read later that data if it must be stored in session?
even if the store access rights for model is managed, how to check if this specific user is logged in when in client routes?
I'm quite confused at the moment... liked Derby principles, but this authentication problems are playing with my nerves seriously.
I know I may not be quite clear, but there are many points to go in details and if anyone can help I'll gladly give more required info.
Thank you,
Eddie
I found this library today called derby-auth.
It uses passport for signing in and has a good example using a simple register and login form.
What it does is to set some routes on the server for logging the user, and a middleware to tell the client if it's logged or not.
It does have some bugs (a few callback calls missing that break some things), so i wrote my own based on that, but must clean a lot of things before uploading anywhere.
i'd be glad to send it to you if you want to, though.
The most current library is https://github.com/derbyparty/derby-login
It has been updated pretty regularly and works with derbyjs 0.6