i have a problem in login with looback i wanna add 3rd paramter
this is default code of loopback
<pre>
User.login({username: 'foo', password: 'bar'}, function (err, token) {
console.log(token.id);
});</pre>
i wanna pass a new parameter like
<pre>User.login({username: 'foo', password: 'bar',is_deleted:'0'}, function (err, token) {
console.log(token.id);
});</pre>
i also try pass third parameter is_deleted=0 but it is not worked in my case
You can do login by following combination:
username & password
email & password
So if you want to inject some logic before login then you can use operation hooks, do some stuff and perform login with any of above mentioned combination.
Sample code :
extentedUser.beforeRemote('login', function (context, user, next) {
// Do some operation or validation here
next();
});
What exactly you want to do with that third parameter? if you want to perform any logic before login method, you can create a new remote api and after performing that logic call default login api inside it.
something like :
model.newAPi = function(param1, param2, param3){
//use param3 to perform logic
app.models.User.login(param1, param2);
}
Related
I have a callable cloud function on the frontend, that gets a sub-user id from front-end pass it to the cloud function, and then the cloud function delete that user and also deletes his doc from the collection...
my question is could someone get the id of some user and use that function and start popping requests using this function to delete users left and right ?
it make sense that this could function won't follow any rules, so I consider this to be a major security risk if implemented in the wrong way any idea how to improve security on this and guard against any abuse attempts.
Front end callable function
const functions = getFunctions();
const deleteClient = httpsCallable(functions, 'deleteClient');
deleteClient({ uid: 'clientId' })
.then((result: any) => {
// Read result of the Cloud Function.
/** #type {any} */
// const data = result.data;
// const sanitizedMessage = data.text;
console.log(result);
})
.catch((err: any) => {
alert(err);
});
Cloud Function
export const deleteClient = functions.https.onCall((data, context) => {
admin
.auth()
.deleteUser(data.uid)
.then(() => {
console.log('Successfully deleted user');
})
.catch((error: any) => {
console.log('Error deleting user:', error);
});
db.collection('ClientsData').doc(data.uid).delete();
});
It indeed sounds like you created a security risk, and is also precisely why Firebase Authentication only allows deleting the currently signed-in user in its client-side SDKs.
You'll have to implement some sort of authorization scheme in your Cloud Functions code. This takes a two step process:
Pass the identity of the signed-in user making the call from the client to the server, and use it there to establish who is making the call. Since you're using Callable Cloud Functions, this is already done for you and the user is available in the context.auth variable in your Cloud Functions code.
Determine whether the user is authorized to perform the operation. This is typically done by having a list of authorized users, and then checking of the context.auth.uid who made the call is in that list. The list could be stored in your database too of course, so that you can update it without making changes to the code.
I am using serverless lambda functions on aws for user authentication in cognito user-pool. I am asking the user only for his phone_number and sending him otp for verification. The problem arises, when the user signs out and sign-in again. I am unable to decide on when to call signUp or sign-in for the user.
I am guessing that, I need a lambda call to be triggered before the pre-signup, which verifies that the user phone number already exists in the user-pool, and I need to call the Amplify.Auth.signIn api from the client. If not then call Amplify.Auth.signUpapi from the client. But I am unable to find any document for that. I am using flutter as my front-end. Please help.
My pre-signup lambda functions looks something like this:
exports.handler = async (event) => {
console.log('Received EVENT', JSON.stringify(event, null, 2));
event.response.autoConfirmUser = true;
event.response.autoVerifyPhone = true;
return event;
};
You can use the CognitoIdentityServiceProvider.listUsers for this.
const cognitoIdentityServiceProvider = new CognitoIdentityServiceProvider();
const result = await this.cognitoIdentityServiceProvider.listUsers({
UserPoolId: process.env.USER_POOL_ID,
Filter: `phone_number = \"${phoneNumber}\"`
}).promise();
return result.Users.length > 0 ? result.Users[0].Username : undefined;
I use Auth0 to authorize users via Google, Facebook and others. This works perfectly if you click log in while the URL is on the list of white-listed callback URLs in Auth0.
But my web application can have any number of different URLs, so having a simple white-list with some allowed URLs does not work.
The login always tries to redirect back to the same URL as I logged in from, and this URL is most of the time not in the list of allowed URLs.
I have tried all kinds of variations of the above settings, but I only get errors like these ones:
The url "https://x.com/posts/gif/hot/1" is not in the list of allowed callback URLs
The url "https://x.com/posts/world/new/1" is not in the list of allowed callback URLs
The url "https://x.com/posts/nature/hot/6" is not in the list of allowed callback URLs
The url "https://x.com/posts/gaming/hot/3" is not in the list of allowed callback URLs
The Lock configuration related code:
options = {
auth: {
callbackURL: 'https://x.com',
// redirectUrl: 'https://x.com',
responseType: 'token',
// sso: true,
// redirect: true,
params: {
scope: 'openid user_id name nickname email picture'
}
}
};
// Configure Auth0
lock = new Auth0Lock('x', 'x.auth0.com', this.options);
constructor(private _router: Router) {
this.userProfile = JSON.parse(localStorage.getItem('profile'));
// Add callback for the Lock `authenticated` event
this.lock.on('authenticated', (authResult) => {
localStorage.setItem('id_token', authResult.idToken);
// Fetch profile information
this.lock.getProfile(authResult.idToken, (error, profile) => {
if (error) {
throw new Error(error);
}
});
});
};
The login method:
public login() {
// Call the show method to display the widget.
this.lock.show({
callbackUrl: 'https://x.com',
state: this._router.url
});
};
I'm assuming you're using the latest version of Lock (Lock 10) and if that's the case there are a few issues with the code you included:
The URL to which Auth0 will redirect to after the user completes the authentication step is specified through auth: { redirectUrl: '...' } and you have that line commented and instead the code is incorrectly using callbackURL.
According to the docs, the show method no longer takes any arguments.
Independently of the Lock version the state parameter should be used to mitigate CSRF attacks so using it exclusively to pass contextual information may be insecure.
Given you have the redirectUrl commented you probably also gave it a try; did you got the same behavior when using that parameter?
Based on the documentation the required configuration for what you're trying to achieve should be accomplished by having:
options = {
auth: {
redirectUrl: 'https://example.com/login/callback',
responseType: 'token',
params: {
state: '[your_state_value]',
scope: 'openid user_id name nickname email picture'
}
}
};
public login() {
// Call the show method to display the widget.
this.lock.show();
};
In my routing file I have the following down.
Router.route('/user/:createdBy', {
name: 'user',
/*onBeforeAction: function () {
AccountsEntry.signInRequired(this);
},*/
fastRender: true,
data: function () {
paramId = this.params.createdBy;
// Still have to find a way how to get data
// Function below is only for signed in users
return Meteor.users.findOne(paramId);
}
});
In my user template I want to display the email. I have it like this {{emails.[0].address}} and as {{users.emails.[0].address}} but the email doesn't show up. It only shows up if the user is logged in. I however have the users Id as my param. (This is for testing purposes guys!).
If you want to use the logged off user information, you could try this:
// in your router.js
// callback would be called when login is successful
Meteor.onLogin(function(){
Session.set('login user', Meteor.user());
})
// in your template, or other functions
// the Session would be update only if a user login successfully
var userId = Session.get('login user')._id;
Click here for more details.
I wish it could help :-)
I have a website—utilizing Visualize.js—that has a simple login/logout feature. Everytime I login I call the authenicateUser() function and logout destroySession(). When I try login and then logout and then login again, when I try to render my existing reports I get this thrown error:
HTTP Status 401 - Full authentication is required to access this resource
The functions authenicateUser() and destroySession() are shown below:
function authenticateUser () {
var myConfig = {
auth : {
name : "superuser",
password : "superuser"
}
};
visualize.config( myConfig );
}
function destroySession() {
visualize( function ( v ) {
// Logout form JRS and finish the session.
v.logout().done( function () {
} );
} )
}
I would like to point out that when I first login my account this error is not thrown and renders the reports perfectly.
Why is this happening after logout and then login again?
This seemed to have worked for me. So I called visualize.config( config ) first so that I can store common configuration, to share them between visualize calls and then called the login method so that I can perform authentification with provided auth object. My reference: http://community.jaspersoft.com/wiki/visualizejs-api-notes-and-samples-v56
visualize.config( config );
visualize( function ( v ) {
v.login( config );
} );
This solution was not in their documentation though, but I put them piece by piece to finally solve the problem.
The documentation contained solution to this problem although it is not very explicit. See sample code and sample link from documentation link
visualize.config({
auth: {
name: "superuser",
password: "superuser"
}
});
Share common config between 'visualize' calls
Just a note:
Actually when you login you need to logout at some appropriate event. This depends on your application requirement e.g. if you are embedding reports within an existing web application, it seems more appropriate to link it existing application login/lougut