Need some high level advice before putting the pieces of an app together..
I'm not entirely sure how these three pieces should fit together.
My understanding:
I have the user log in using omniauth and get redirected to a callback, where I can get information provided by the API and use it to build a user in the database. Then, I use warden to "store" the user, and authenticate whether actions are valid or not.
It looks as if I'll have to create my own "strategy" for warden?
How should I store the user's identity?
Somebody's already done the hard work for you. On github: https://github.com/hassox/warden_omniauth
Related
Anyone used epicshaggy / capacitor-native-biometric plugin and have been able to make it work. I have just been able to trigger the NativeBiometric.verifyIdentity( function and make it recognize my biometrics, but that's about it.
I've crawled the internet and haven't found a complete example of how to use it. To summarize, i just want to understand how can i use biometrics to login a user. How do i make my server uniquely identify a user and provides login token.
According to the CapacitorJs docs, and epicshaggy/capacitor-native-biometric, the correct way to work with user credentials is with the provided methods:
NativeBiometric.setCredentials()
NativeBiometric.getCredentials()
NativeBiometric.deleteCredentials()
These methods
Securely stores user's credentials in Keychain (iOS) or encypts them using Keystore (Android)
These methods are also only available on native devices, hence "method not implemented" when attempting to run in a browser, and must be behind Capacitor.isNativePlatform().
Providing an updated answer because this is still a top result when trying to implement biometrics with CapacitorJs
did you found any solution to this so far? I think your own problem is how to recognize a user? there is actually how I used to do this in react native. First of. you need to have some kind of extra "local storage key" that stored values or user credentials when they log in through the inputs. keep in mind that you are not clearing the "key" even if the user "log out" of the app. so in that case. before they could be able to use biometrics users need to sign in the proper way with the inputs so you could save their credentials like email or any unique values or whatever to use later.
Now, my problem is all the functions are not even working for me ah. it keeps saying "method not implemented"
Actually I have an API called update user data, it is called when the user moves from one page to another page. If the user copy the API from console and post in postman, user should not able to update the user data. How to provide security or implement feature to not to update data through post man.
You really can't.
You can slightly make it harder using some CSRF protection, but that's just it - it will only make it a bit harder, but not stop anyone determined.
If your API is public, you should be ready for your users to have custom client apps.
I am a bit confused by your question. Because PostMan or other applications like Fiddler are created to make the job easier for developers during development. anyhow if you are concern about who makes call to your webpage, you can make your API private and just give access to the user that have the right credentials. You can also read about CSRF or XSS.
I'm trying to implement SSO using Atlassian Crowd, and there's a surprising lack of good documentation or even examples out there.
So far, I authenticate a user using CrowdClient.authenticateSSOUser, and get back a SSO Token (String) if successful. Then, I take this token and stuff it in the cookies myself (via HttpServletResponse). On subsequent page visits, I grab all the cookies, search for this one, and then call the CrowdClient.validateSSOAuthentication method on it.
My question is this: Am I supposed to be using more Crowd code for SSO? I seem to be doing more manually than I'd expect.
...I DO see hints of other possibilities out there... For example:
In crowd.properties, you can specify a crowd.token_key, which is apparently what name the app should use store the token in a cookie (though setting this value doesn't magically make that happen).
Things like the CrowdHttpTokenHelper exist in the latest version - yet seem to have no easily-found related examples (or documentation other than JavaDoc).
Yes, there are possibilities out there that will hopefully help or at least serve as reference.
For a readily available implementation, you might want to look into Integrating Crowd with Spring Security.
If you need finer control, use a CrowdHttpAuthenticator. It will allow you to authenticate a request with a username and password as well as check if a session has an existing session cookie. (Its concrete implementation will accept properties and uses crowd.token_key.)
CrowdClient is available if these don't fit your needs, but it's not the only option.
It seems that basic functionality such as user login, can not be done in simple manner: to have username and password field in form on client and based on that to create store.readPathAccess model access rights. Also, how to check if user is logged in to implement access rights on routes?
Based on examples and (poor) DerbyJS documentation, if I understood it correctly, you have to implement login in server module (lib/server/*) because:
store.readPathAccess must be used in server side
you want to store data in model session (which can be read only on server side)
But many questions arise:
if it has to be done on server side, how to get and store client form data on server side without having problem with second item below on the list (I have done it with manually submitting data to server-only route, but can not then save it in model with local key because I have to redirect to client route after that and local model data is lost)
how to read later that data if it must be stored in session?
even if the store access rights for model is managed, how to check if this specific user is logged in when in client routes?
I'm quite confused at the moment... liked Derby principles, but this authentication problems are playing with my nerves seriously.
I know I may not be quite clear, but there are many points to go in details and if anyone can help I'll gladly give more required info.
Thank you,
Eddie
I found this library today called derby-auth.
It uses passport for signing in and has a good example using a simple register and login form.
What it does is to set some routes on the server for logging the user, and a middleware to tell the client if it's logged or not.
It does have some bugs (a few callback calls missing that break some things), so i wrote my own based on that, but must clean a lot of things before uploading anywhere.
i'd be glad to send it to you if you want to, though.
The most current library is https://github.com/derbyparty/derby-login
It has been updated pretty regularly and works with derbyjs 0.6
I am looking for the best way to do a One Time Login for my iPhone application. Using iOS 5.1.1 SDK but targeting iOS 4.1 for deployment.
Its purpose is to fetch a generated ID: if an ID exists then I don't need to login anymore, the ID will be returned in XML.
My application is an extension to a current web based service, it involves asynchronous HTTP POSTs on location updates with an ID as an identifier and checking the XML returned for any errors. The ID does not expire. It is a single view application as it just requires a start/stop button.
The username for the web service never changes so I just want to fetch the ID once off, there is no benefit or security risk if a person was to hack things and get the id due to the nature of the service and the application providing no information on the user. The process I would like goes as follows.
Application launched.
Do we have an ID stored? (yes/no)
If yes go into application.
If no present username/password screen to get ID.
On entering username/password, password is encrypted, sent to the server for verification, if yes then an id is returned and stored.
The username/password would be two inputs and a login button.
What would be the best way to go about this? I really don’t know what direction to follow here.
What I would recommend doing is using iOS's Keychain to store the ID of the user. You can never be too safe, Example usage can be found here GenericKeychain alternatively theres numerous easy to use wrappers to accomplish this.
If you really dont care for security, NSUserDefaults works for storage.
Also, I would suggest utilizing iCloud Document storage to make this ID persistent for all the user(s) devices. You can refer to this thread for more info.
Hope all that I suggested helped with your question !
UPDATE: For anyone else who finds this answer useful. As #sandmanza mentioned, be sure to include the Security.framework, if you go the Keychain route.
You can save ID in NSUserDefault and upon launching the app, you can retrieve ID from NSUserDefault and check whether ID is present or not, and based on that you can proceed further.