I have a node-opcua server setup with 2 clients connected to it with Security Mode set to SignAndEncrypt. Now, I have 2 questions:
Is there a way for the server to find out how many clients are connected to it?
The server application will like to know the identity of a connected client, is there an API to get the client certificate obtained during OpenSecureChannel?
OPCUA Server can expose such information under the RootFolder.Server.ServerDiagnostics node, and the information you need shall be accessible through OPCUA.
This little node-opcua client program will show you how to do.
note:
that certain data such as security diagnostics requires a secure connection and a non-anonymous user
client_extract_server_diagnostic.ts
// this script is typescript and can be run this way
// $ npx ts-node client_extract_server_diagnostic.ts
import {
AttributeIds,
OPCUAClient,
ClientSession,
StatusCodes,
MessageSecurityMode,
SecurityPolicy,
UserIdentityInfoUserName,
UserTokenType
} from "node-opcua";
// the opcua server to connect to
const endpointUrl = "opc.tcp://localhost:48010";
// the credential
const userIdentityToken: UserIdentityInfoUserName = {
password: "secret",
userName: "root",
type: UserTokenType.UserName
};
async function extractServerStatistics(session: ClientSession) {
const nodesToRead = [
{
attributeIds: AttributeIds.Value, nodeId:"Server_ServerDiagnostics_EnabledFlag"
},
{
attributeIds: AttributeIds.Value, nodeId:"Server_ServerDiagnostics_ServerDiagnosticsSummary_CurrentSessionCount" //i=2277
},
{
attributeIds: AttributeIds.Value, nodeId:"Server_ServerDiagnostics_ServerDiagnosticsSummary_CurrentSubscriptionCount" // i=2285
},
{
attributeIds: AttributeIds.Value, nodeId: "Server_ServerDiagnostics_ServerDiagnosticsSummary_CumulatedSessionCount" // i=2278
},
{
attributeIds: AttributeIds.Value, nodeId: "Server_ServerDiagnostics_ServerDiagnosticsSummary_CumulatedSubscriptionCount" // i=2278
},
{
attributeIds: AttributeIds.Value, nodeId: "Server_ServerDiagnostics_SessionsDiagnosticsSummary_SessionSecurityDiagnosticsArray" // i=3708
}
];
const dataValues = await session.read(nodesToRead);
console.log("Diagnostic enabled ? = ", dataValues[0].value.value);
console.log("Current Session Count = ", dataValues[1].value.value);
console.log("Current Subscription Count = ", dataValues[2].value.value);
console.log("Cumulated Session Count = ", dataValues[3].value.value);
console.log("Cumulated Subscription Count = ", dataValues[4].value.value);
// note reading SessionSecurityDiagnotiscArray may requires authenticated session to succeed
console.log("SessionSecurityDiagnotiscArray = ");
if (dataValues[5].statusCode === StatusCodes.Good) {
const sessionSecurityDiagnosticArray = dataValues[5].value.value;
// console.log(dataValues[5].value.value.toString());
for (const sessionSecurityDiagnostic of sessionSecurityDiagnosticArray) {
console.log(" session client certificate ", sessionSecurityDiagnostic.clientCertificate.toString("base64"));
console.log();
}
} else {
console.log(dataValues[5].toString());
}
}
( async () => {
try {
const client = OPCUAClient.create({
endpoint_must_exist: false,
securityMode: MessageSecurityMode.SignAndEncrypt,
securityPolicy: SecurityPolicy.Basic256Sha256,
});
client.on("backoff",() => console.log("still trying to connec to ", endpointUrl));
await client.connect(endpointUrl);
const session = await client.createSession(userIdentityToken);
await extractServerStatistics(session);
await session.close();
await client.disconnect();
console.log("done");
} catch(err) {
console.log("Err" , err.message);
process.exit(1);
}
})();
Related
So I have a simple backend server created with Hapi API and the frontend I'm using fetch. These are on different ports so I have CORs enabled and all the sweet stuff. I'm currently trying to set a refresh token in the browser using a http only cookie. As far as I can verify, the http only cookie is being set in the browser when login function is completed. I'm currently trying to send the http only cookie back to the server so I can set up the refresh token route and I can't seem to send or even verify that http token is sent back to the server.
Here's the server setting.
"use strict";
require("dotenv").config();
const Hapi = require("#hapi/hapi");
const Jwt = require("#hapi/jwt");
const routes = require("./routes/routes");
exports.init = async () => {
const server = Hapi.server({
port: 3000,
host: "localhost",
routes: {
cors: {
origin: ["*"],
credentials: true,
},
},
});
require("./models");
await server.register(Jwt);
server.auth.strategy("jwt", "jwt", {
keys: { key: process.env.SECRET_KEY, algorithms: ["HS256"] },
verify: { aud: false, iss: false, sub: false, exp: true },
validate: false,
});
server.state("refresh", {
ttl: 1000 * 60 * 60 * 24,
isSecure: true,
isHttpOnly: true,
encoding: "base64json",
clearInvalid: true,
strictHeader: true,
isSameSite: "None",
});
server.route(routes);
return server;
};
process.on("unhandledRejection", (err) => {
console.log(err);
process.exit(1);
});
Here's the login request and returns the http only cookie. This part works, the http cookie is returned and set.
const validateUserAndReturnToken = async (req, h) => {
const user = await User.findOne({
$or: [{ email: req.payload.username }, { username: req.payload.username }],
});
if (user) {
const match = await bcrypt.compare(req.payload.password, user.passwordHash);
if (match) {
const token = await createToken(match);
const refreshToken = await createRefreshToken(match);
h.state("refresh", refreshToken);
return { id_token: token, user: formatUser(user) };
} else {
throw boom.notAcceptable("Username and password did not match.");
}
} else {
throw boom.notAcceptable("Username or email was not found.");
}
};
Here's the fetch request I'm using to test sending a http cookie only back. I have credential: include so I don't know what is problem?
import type { DateInfo } from "#/stores/application";
const api = "http://localhost:3000/report";
let token = localStorage.getItem("user-token");
const headers = new Headers();
headers.append("Authorization", `Bearer ${token}`);
headers.append("Content-Type", "application/json");
export const getJobReport = async (dateFilter: DateInfo) => {
let response = await fetch(
`${api}/${dateFilter.startDate}/${dateFilter.endDate}`,
{
method: "GET",
headers,
credentials: "include",
}
);
return await response.json();
};
I have checked the application tab as well as the network request so I know set cookie is being sent and set on the browser. The problem is I can't seem to get the cookie back from the browser when fetch request is sent back to the server.
Here's the code I'm using to just check the existence of the cookie. According to Hapi Doc , req.state[cookie-name] which in this case is 'refresh' should have the cookie value. Refresh is returning undefined so I went up one level and check for req.state and gets an empty object {}.
route
{
method: "GET",
path: "/report/{startDate}/{endDate}",
options: {
auth: "jwt",
state: {
parse: true,
failAction: "error",
},
validate: {
params: Joi.object({
startDate: Joi.string(),
endDate: Joi.string(),
}),
},
},
handler: handlers.report.getJobApplicationReport,
},
handler
const getJobApplicationReport = async (req, h) => {
console.log("TEST", req.state);
const start = new Date(req.params.startDate);
const end = new Date(req.params.endDate);
try {
const applications = await Application.find({
dateApplied: { $gte: start, $lt: end },
});
// 'Applied', 'In Process', 'Rejected', 'Received Offer'
const total = applications.length;
let rejectedCount = 0;
let inProcessCount = 0;
applications.forEach((app) => {
if (app.status === "Rejected") {
rejectedCount++;
}
if (app.status === "In Process") {
inProcessCount++;
}
});
return {
total,
rejectedCount,
inProcessCount,
};
} catch (error) {
console.log(error);
throw boom.badRequest(error);
}
};
I've looked through all the Hapi documentation, fetch documentation and stackoverflow question/answers but can't seem to find a solution. I can't verify whether it's the fetch request that's not sending the http only cookie or the server setting that's not parsing it. Any help to determine the issue or solution would be greatly appreciated.
I've looked through all the Hapi documentation, fetch documentation and stackoverflow question/answers but can't seem to find a solution. I can't verify whether it's the fetch request that's not sending the http only cookie or the server setting that's not parsing it. Any help to determine the issue or solution would be greatly appreciated.
I'm using passport-saml and express-session. I login with my original session id but when the idp response reach the login callback handler, I have another sessionId. Also, since my browser has the session cookie with the original session id, it cannot use the new session id in the login callback, so I cannot authenticate.
interface SamlProvider {
name: string;
config: SamlConfig;
}
const providers: SamlProvider[] = [
{
name: process.env.SAML_ENTITY_ID_1!,
config: {
path: "/login/callback",
entryPoint: process.env.SAML_SSO_ENDPOINT_1,
issuer: process.env.SAML_ENTITY_ID_1,
cert: process.env.SAML_CERT_1!,
...(process.env.NODE_ENV === "production" && { protocol: "https" }),
disableRequestedAuthnContext: true,
},
},
{
name: process.env.SAML_ENTITY_ID_2!,
config: {
path: "/login/callback",
entryPoint: process.env.SAML_SSO_ENDPOINT_2,
issuer: process.env.SAML_ENTITY_ID_2,
cert: process.env.SAML_CERT_2!,
...(process.env.NODE_ENV === "production" && { protocol: "https" }),
disableRequestedAuthnContext: true,
},
},
];
export const samlStrategy = (sessionStore: session.Store) =>
new MultiSamlStrategy(
{
passReqToCallback: true, // makes req available in callback
getSamlOptions: function (request, done) {
// Find the provider
const relayState = request.query.RelayState || request.body.RelayState;
const provider = providers.find((p) => p.name === relayState);
if (!provider) {
return done(Error("saml identity provider not found"));
}
return done(null, provider.config);
},
},
async function (
req: Request,
profile: Profile | null | undefined,
done: VerifiedCallback
) {
if (profile && profile.nameID) {
const { nameID, nameIDFormat } = profile;
const email = profile[
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
] as string;
const firstName = profile[
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
] as string;
const lastName = profile[
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
] as string;
// Check if user is in risk database
const user = await myUserService.getByEmail(email);
if (!user) return done(new UserNotFoundError());
// If user has existing session, delete that existing session
sessionStore.all!((err: any, obj: any) => {
const sessions = obj as Array<{
sid: string;
passport?: { user?: { email?: string } };
}>;
const existingSess = sessions.find(
(sess) =>
sess.passport &&
sess.passport.user &&
sess.passport.user.email &&
sess.passport.user.email === email
);
if (existingSess && existingSess.sid) {
sessionStore.destroy(existingSess.sid, (err: any) => {
console.error(err);
return done(Error("failed to delete existing user session"));
});
}
});
return done(null, { nameID, nameIDFormat, email, firstName, lastName });
}
return done(Error("invalid saml response"));
}
);
Here's my login and login callback
app.post("/login/callback", async function (req, res, next) {
passport.authenticate("saml", (err: any, user: ISessionUser) => {
if (err) {
// TODO: Handle specific errors
logger.info({ label: "SAML Authenticate Error:", error: err });
return next(err);
} else {
req.logIn(user, (err) => {
if (err) {
logger.info({ label: "Login Error:", data: err });
return next(err);
}
res.redirect("/");
});
}
})(req, res, next);
});
app.get(
"/auth/saml/login",
passport.authenticate("saml", { failureRedirect: "/", failureFlash: true }),
function (req, res) {
res.redirect("/");
}
);
I experienced a similar issue using Microsoft 365 for authentication. The answer was to pass a randomly-generated nonce to the authentication request - this gets passed back to your app in the callback request. With SAML I think it depends on the provider whether they support such a flow, but it is good practice. You can also use a cookie to maintain state in your app, instead of, or additional to, the session id.
I want to implement a manage sessions system, so the user can logout all sessions when he change password.
1- when the user login I will store his session into user sessions array:
2- I'll check if the current session is stored in database, if not I'll log him out.
3- I want to add a "logout all sessions" button that logout all except for current session.
but I don't know how to start, because all I have when user login is:
{
user: { uid: '61a53559b7a09ec93f45f6ad' },
expires: '2021-12-30T16:34:58.437Z',
accessToken: undefined
}
{
user: { uid: '61a53559b7a09ec93f45f6ad' },
iat: 1638290097,
exp: 1640882097,
jti: '2fc85541-eb9b-475e-8261-50c874f85b51'
}
my [next-auth].js :
import NextAuth from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";
import mongoose from "mongoose";
import { compare } from "bcrypt";
import { User } from "../auth/signup"
export default NextAuth({
//configure json web token
session: {
strategy: "jwt",
maxAge: 30 * 24 * 60 * 60,
updateAge: 24 * 60 * 60,
},
providers: [
CredentialsProvider({
async authorize(credentials){
//connect to database
const client = await mongoose.connect(process.env.DB_URI);
//search for user using email or username
const result = await User.findOne({$or: [{email: credentials.username}, {username: credentials.username}]});
//if not found
if(!result){
client.connection.close();
throw new Error("Incorrect username or password.");
}
const checkPassword = await compare(credentials.password, result.password);
//of password doesn't match
if(!checkPassword){
client.connection.close();
throw new Error("Incorrect username or password.")
}
client.connection.close();
if(!result.emailVerified.verified){
client.connection.close();
throw new Error("Please verify your email adress.")
}
return {
uid: result._id
};
}
}),
],
callbacks: {
async jwt({ token, user, account }){
if (account) {
token.accessToken = account.access_token
}
user && (token.user = user)
return token
},
async session({ session, token }){
session.user = token.user;
session.accessToken = token.accessToken;
return session;
}
}
});
I created a sessions array for each user, when the user signs in, I generate a random hash key and save it to this array (you can add custom properties such as IP, time.. etc), and then save this hash to cookies, then I added a request in getServerSideProps
export async function getServerSideProps(context){
const {data: isAuthenticated} = await axios.get(`${process.env.WEB_URI}/api/auth/verify/session`, {
headers: {
cookie: context.req.headers.cookie
}
});
/api/auth/verify/session.js
export default async function session(req, res){
if(req.method === "GET"){
const session = await getSession({req: req});
if(!session){
return res.send(false);
}
mongoose.connect(process.env.DB_URI, {useUnifiedTopology: true} , async function(error) {
if(!error){
const user = await User.findOne({uid: session.user.uid}, {_id: 0, sessions: 1});
if(!user){
return res.send(false);
}
const userSession = user.sessions;
if(userSession.length > 0){
const tokens = userSession.map((session => session.token));
if(tokens.includes(session.user.token)){
res.send(true);
}else{
res.send(false);
}
}else{
res.send(false);
}
}
});
}
}
finally
if(props.isAuthenticated === false){
signOut();
}
I am using simple-peer for video transmission. Its working fine in my local network so I add google's free stun server to connect with people not in my local network. But its throwing error connection failed if I try to connect to anyone outside of my local network and working fine at local network.
React part
const peer = new Peer({
initiator: true,
trickle: false,
stream,
config: {
iceServers: [
{urls: 'stun:stun.l.google.com:19302'},
{ urls: 'stun:global.stun.twilio.com:3478?transport=udp' }
]
}
});
peer.on("signal", signal => {
socketRef.current.emit("sendingSignal", { userIdToSendSignal: userIdToSendSignal, callerId: callerId, signal });
})
})
const peer = new Peer({
initiator: false,
trickle: false,
stream,
config: {
iceServers: [
{ urls: 'stun:stun.l.google.com:19302' },
{ urls: 'stun:global.stun.twilio.com:3478?transport=udp' }
]
},
});
//other peer give its signal in signal object and this peer returning its own signal
peer.on("signal", signal => {
socketRef.current.emit("returningSignal", { signal, callerId: callerId });
});
peer.signal(incomingSignal);
})
Nodejs part
const socket = require("socket.io");
const io = socket(server);
const usersInRoom = {}; //all user(socket id) connected to a chatroom
const socketToRoom = {}; //roomId in which a socket id is connected
//verifying token
io.use(async (socket, next) => {
try {
const token = socket.handshake.query.token;
const payload = await jwt.verify(token, process.env.SECRET);
socket.userId = payload;
const user = await User.findOne({ _id: socket.userId }).select('-password');
socket.username = user.username;
socket.name = user.name;
next();
} catch (error) {
console.log(error);
}
});
io.on('connection', socket => {
console.log('Some one joined socketId: ' + socket.id);
socket.on("joinRoom", roomId=> {
console.log('Joined roomId: ' + roomId + " socketId: " + socket.id + ' userId: ' + socket.userId);
if (usersInRoom[roomId]) {
const length = usersInRoom[roomId].length;
usersInRoom[roomId].push(socket.id);
} else {
usersInRoom[roomId] = [socket.id];
}
socketToRoom[socket.id] = roomId;
const usersInThisRoom = usersInRoom[roomId].filter(id => id !== socket.id);
socket.join(roomId); //for message
socket.emit("usersInRoom", usersInThisRoom); //send all socket id connected to this room
});
//client send this signal to sever and sever will send to other user of peerId(callerId is peer id)
socket.on("sendingSignal", payload => {
console.log(payload.callerId);
io.to(payload.userIdToSendSignal).emit('userJoined', { signal: payload.signal, callerId: payload.callerId });
});
//client site receive signal of other peer and it sending its own signal for other member
socket.on("returningSignal", payload => {
io.to(payload.callerId).emit('takingReturnedSignal', { signal: payload.signal, id: socket.id });
});
//from client send message to send all other connected user of same room
socket.on('sendMessage', payload => {
//sending message to all other connected user at same room
io.to(payload.roomId).emit('receiveMessage', { message: payload.message, name:socket.name, username: socket.username });
});
//someone left room
socket.on('disconnect', () => {
const roomId = socketToRoom[socket.id];
let socketsIdConnectedToRoom = usersInRoom[roomId];
if (socketsIdConnectedToRoom) {
socketsIdConnectedToRoom = socketsIdConnectedToRoom.filter(id => id !== socket.id);
usersInRoom[roomId] = socketsIdConnectedToRoom;
}
socket.leave(roomId); //for message group(socket)
socket.broadcast.emit("userLeft", socket.id); //sending socket id to all other connected user of same room without its own
});
});
Error
Here is my client code.
let Centrifuge = require("centrifuge");
var SockJS = require('sockjs-client');
var jwt = require('jsonwebtoken');
var info = { "sub": "1", "exp": 300,"info": '{ "name": "Venkat" }' }
var secret = "<<token_hmac_secret_key>>"
var centrifuge = new Centrifuge("http://127.0.0.1:8000/connection/sockjs/", {
sockjs: SockJS
})
var gentoken = jwt.sign(info, secret, { algorithm: 'HS256'});
centrifuge.setToken(gentoken);
centrifuge.connect();
centrifuge.on("connect", function (context) {
console.log("CONNECT:", context);
// now client connected to Centrifugo and authorized
});
centrifuge.on("disconnect", function (context) {
console.log("DISCONNECT:", context);
// do whatever you need in case of disconnect from server
});
After executing the above code i am getting response as:
node src/client.js
DISCONNECT: { reason: 'invalid token', reconnect: false }