In my Scala/Play application i have to work with database but there's no default user and password because every authenticated application user is bound to different DB user. So i'd like to specify user name and password on obtaining connection, smth like:
DB.withConnection(user = "James", password = "secret") { ... }
For now i can't find such capabilities in docs (and honestly saying i'm not sure how to specify a search query for my question).
And another question: is it safe to store user password in session taking into account that session is stored on user side? Or are there any best practices for such case when different DB users work with app?
Answer to Question 1
In Play, you obtain datasources by name:
def getDataSource(name: String): DataSource
You'd have to do some heavy hacking of the stuff in package play.api.db to get the functionality you require.
That, or you can predefine a bunch of datasources if the number of users of your app is small, and retrieve the connection by their login name, e.g.:
db.bob.url="jdbc:h2:mem:db_for_bob"
db.bob.driver=org.h2.Driver
db.alice.url="jdbc:h2:mem:db_for_alice"
db.alice.driver=org.h2.Driver
And
DB.withConnection("bob") { implicit connection =>
Or
DB.withConnection(userNameKnownAtRuntime) { implicit connection =>
Answer to Question 2
Even though the data in sessions are heavily encrypted using the application secret, I would recommend not to store these client-side. Instead, implement something along the lines of Resource Owner Password Credentials Grant according to this section in the OAuth 2 spec. That would give your client a token which is only valid for a set period, and could be invalidated server-side if need be.
Related
In my Firebase database, I have a section for storing usernames that are taken.
There is a “usernames” node, where the username is the key, and the user’s ID is stored in a “userId” atrribute.
usernames
{
username1
userId : "exampleId1"
username2
userId : "exampleId2"
username3
userId : "exampleId3"
...
}
When a user is signing up, before they create an account and are Authenticated, the app must check that the username is not taken.
In order for this to work, the “usernames” node has been set to public in the Firebase Security Rules:
"usernames": {
".read": true
}
Unfortunately, this will make every taken username and internal user ID visible, which is a security concern and not something that should be done.
(for those that don’t know, public nodes can be accessed through a browser like so):
https://mydatabasename.firebaseio.com/usernames.json
There are other nodes for banned usernames and emails that work in a similar way; they have to be checked before a user is Authenticated, and should not be fully exposed to the public.
My question is: When a user is signing up, how can I check for available usernames without making the entire node public?
To know if a specific user name is already taken, the user doesn't need read permission to /usernames but it's suffice to give them read access to /usernames/$username. So:
"usernames": {
"$username": {
".read": true
}
}
With these rules, you code can check whether the specific user name that the user wants to claim is already taken (by someone else), but they can't request a list of all user names.
Two options comes to mind, the first is allowing the public read access to your database while the second method is what I would do in a real project:
Method 1: Maintain a Separate "Usernames" Node
With this method you create a secondary node, let's say it's called usernamesInUse and this would be world readable. Its structure would look like this:
{
"usernamesInUse": {
"username1": true,
"username2": true,
"username3": true
}
}
Checking if a username exists is as simple as:
db().ref('usernamesInUse/username2').once('value', (snapshot) => if (snapshot.exists()) ...)
The downsides to this method are that you have to have processes in place to update this node whenever a new user is added, modified or deleted. However this would give secure read access to usernames and nothing else.
Method 2: Create a Cloud Function (How I would do it)
Create a simple Cloud Function with an HTTPS endpoint that checks for the existence of the username and returns a 200 or 404 status code. Your database would not need any world readable permissions.
This avoids the need to duplicate data, prevents users from downloading a full list of every user in your system and prevents the world from unmetered access to your database. You also have the opportunity to block access to abusive anonymous visitors.
Tell me if you like the idea. :)
I would create a singleton with all func and variable private which will only return a Bool and take Username variable.
This way no one can access data or func from this part. No injections possible.
Insisde the singleton you can check all usernames and do whatever you want.
return only Bool.
Is it possible to store multiple credentials for a given user in Keycloak?
They don't need to be all active/enabled at the same time. The use case for us is rather that we want to store new credentials in advance but don't want to have them active yet. They should be activated/enabled at a later time after some manual user verification.
The Keycloak REST API documentation states that UserRepresentation indeed comprises an array of CredentialRepresentation but in my few tests the GET call wouldn't even return a credentials attribute.
I would say that's impossible to have more credentials for a user.
But you can always implement your own user storage SPI that implements interface CredentialInputValidator, where you can check for the valid password.
Let's say in your DB, you have 2 colums for passwords: pas_col1 and pas_col2, and 1 more column as flag, which tells what column is used for user authentication, so in isValid(RealmModel realm, UserModel user, CredentialInput input) method you can check for your conditions.
Link to SPI: https://www.keycloak.org/docs/3.4/server_development/index.html#_user-storage-spi
I'm using the parse REST API.
I need to setup so that for any requests made:
1) only logged in/authenticated users can Read or Write.
2) users can only access/modify records they own.
My current implementation:
1) using the Application key + REST API key.
2) sending request to user login endpoint, on success returning the user data including the session token
for 2), I'm not doing anything with the session token yet.
I understand that parse has:
1) class based permissions
2) object-level permissions (ACL's)
With Read and Write access on the class level, and by simply using the Application Key + REST API Keys,
anyone with these two keys can access that class (ofcourse, the Master Key has even more "power").
I want to simply say that they can Read and Write on the class level, if they're logged in/authenticated.
And when they Read, Update or Delete, they can only do so if they're owner of the object.
I assume that session token will play a role in the logged in part, and ownership is defined by object-level ACL
Is this correct and how to roughly set this scenario up in parse?
It's not clear to me in the REST API how to handle this (what I think is a common) type of scenario.
Thanks for any feedback
{"ACL":{"$CURRENT_USER":{"read":true,"write":true}}}
above in acl column will mean at the security level, only the creator has RW permissions. No other user can see these records with this ACL attr value regardless of their access on the CLASS level.
OR
you control the accessor predicates in your app. So you can add a column = 'createdBY' of type pointer_to_class_User.
Any queries just contain predicate ..
'where={"createdBy":{"__type":"Pointer","className":"User","objectId":"$CURRENT_USER"}}'
which enforces ( outside row security level ) idea of only getting result sets containing rows for the current-user.
all depends on how you want to use the security layer.
I would do it using the predicates and resort to the ACL only where you may have stuff like SSN's or Salary where as a policy you dont what general read permissions.
I'm thinking to create an API for users to change their password.
User table has some fields like firstname, lastname and so on.
For this API, should I use PATCH like the below?
PATCH /users/{userId}
{
"password": "new_password"
}
Or, should I use PUT?
PUT /users/{userId}/{password}
This seems awful for security.
By the way, I don't want users to change values of other fields. I think PATCH must let users to be able to change values of any fields. That's why I'm wondering.
Path info and query string will be encrypted using HTTPS/TLS - for that HTTP session. However, it is still a bad idea to put passwords there, since they are likely to be in browser history and/or server logs
PUT /users/{userId}/{password}
... that will stay in web server logs. As secure developers, we are not supposed to even store passwords in databases where they can be stolen (we are to store a hash + salt of a password). Having cleartext passwords in web server logs is worse.
Sending it in the body in a TLS session is the best.
PATCH /users/{userId}
{
"password": "new_password"
}
... and then hash+salt it and store that. Logins, you do the same process (one-way hashes match).
See this: HTTPS, URL path, and query string
From a security POV there is no difference. An attack can read both the query string and the request body. You should use TLS.
Both requests look fine to me. Their URLs and their bodies are good, solid REST.
If you don't want to accept changes to all fields, write logic in your server that rejects requests that trie to change fields that are not to be changed by the user. But this is not a question of PUT vs. PATCH or POST.
I am currently planning a web API based on the principles of REST. I am using a session token to correct identify what user is making a request (after authentication of course), then determining if that user has access to the given resource.
Assuming the user making the request has a userID of 7, and I am wanting to retrieve a list of only the presentations that he can access, would best/proper practice be to:
1. Include my userID in the route, such as:
localhost:55555/api/users/7/presentations
or
2. Not include userID, such as:
localhost:55555/api/presentations
Each presentation can be accessed by any number of other users. For this reason I am leaning towards option 2 but would like to know what others think before I finalize the structure.
A very common pattern for REST APIs is to have both:
a list resource with optional parameters like /presentation/?by=Alice&since=2013-1-1,
object resources like /presentation/0AFF56E7.
For presentations, I wouldn't use a composite ID containing the user ID, since it doesn't seem really needed and it would prevent future features like changing the "owner" of the presentation (without changing its ID).