I am trying to implement impersonation. I referred to the documentation and also referred to a similar question & response here.
So I see two methods.
1) To do it the way Aspnet.zero implements. In this it seems that user gets logged out and login again with the impersonated tenant & user (gets redirected to the url).
2) Follow a simpler method as in documentation:
using (_session.Use(42, null))
{
var tenantId = _session.TenantId; //42
var userId = _session.UserId; //null
}
In my case If I follow 1st method, I will have to redirect the user to the tenant url (in the format of {subdomain}.mydomain.com) which I am not very keen on doing.
So, If I follow 2nd method can I impersonate in such a way that it will work on impersonated tenant & userid until I switch it off (say by pressing a button)? User scenerio;
Host user go to tenant list.
Click [impersonate] for a selected tenant from the grid (impersonate as tenant admin)
work as the tenant admin of selected tenant
Click [switch off] or similar button that always appear at the header if user is in impersonate mode.
Related
I am using ASP.NET Identity framework. Everything is ok, but I want to restrict user register anonymously in the application, so that only logged-in user can create other users.
Thanks in advance
I have two suggestions, probably not the best option, but they work.
The First:
Before calling Register, first determine whether the user is logged in.
For example:
Determine whether to call Register by judging whether userName is null.
var userName = _userManager.GetUserName(HttpContext.User);
if (userName != null)
{
//Register
}
The Second:
Cancel Register button, load this button after login.
Of course, if you have a deep enough understanding of identity, perhaps RoleManager is a better choice.
In my Spring Boot I'd like to have both social login and signup with user and password.
Let's say the user signs-up via Google. After some time, he forgets that he signed-in via Google and tried to register using the same email.
What should happen in this case?
Should I save user info (returned by Google) in a "users" table of my database to prevent the same user to register twice?
Is there an article or something that explains a similar login/registration flow?
you can save all the users(OAuth or signup) in the user table. you can maintain a column by which you will be able to identify them if a user is signed in via OAuth or email. then if a user tries to signup via the same email you can show a message. or you can design your signup process using multiple steps. at first, the user needs to enter her email address, then you can send her an email where she needs to click some link that has some token in the url, if she previously logged in using some oath provider then she will be automatically logged in otherwise she needs to set her password.
Some users of our application are admins. We want give them a capability to create new users. We think about the following flow:
Admin goes to "Users" page and clicks a "create a new user" button and fill new user's name and email address.
That new user retrieves an email with acknowledge that a user was created in our application.
The user clicks a link from email body and proceeds to "Set password" page and specify his password.
Is it possible to achieve such flow with angular + express? Is there any other possible flows which can be achieved?
You can create an invite-based flow, but you'll have to do some custom work with our libraries.
You'll need to work with the Stormpath Client and Stormpath Application directly, these are provided by the Stormpath Node SDK. Inside of your Express middleware, retrieve the client with:
var stormpathClient = req.app.get('stormpathClient')
and the application with:
var stormpathApplication = req.app.get('stormpathApplication`)
On the application, use stormpathApplication.createAccount() to create the user. When you pass the new account data, set the password to something that is very long, random, and un-guessable. If your Stormpath directory has email verification enabled, the user will get an invite email. That email should link them into your Angular application, to a custom view which will read the email verification token from the URL and post it to a custom middleware on your server. This middleware will need to use stormpathClient.verifyAccountEmail() to verify the token.
Then you can collect a new password for the user, and save it by setting req.user.password='new password', then calling req.user.save().
Hope this helps! I work at Stormpath and I am a maintainer of these libraries :)
I am working on a Laravel 4.2 project.
I already have implemented an email activation module for new user registration. Whenever a new user registers, I provide an activation link to him in an email and clicking on link, I compare the token (a random string with 30 characters) I have provided with link and user's email address with database records. If found to be matching, I just set is_active field of users table to true and redirect him to login page with a Congratulations message for successful activation.
But now, I DON'T want him to redirect to login page, but if successful activation, I want him logged in directly to his account.
But I believe that authenticate an user with just a string token and email address is not a secure way.
There must be something that I can trust on. Many sites do this including stackoverflow itself but I am not sure how?
Can you please guide me how to do this?
I'm very new to ion-auth so apologies in advance if this is a dumb question.
I have a feature request from a user (an admin) where they would like to be able to switch into another user's account to see the app from their point of view. The use-case here is that the admin would find the user in question's account in our user admin page in the app, then click a button to effectively 'become' that user.
Any ideas how this would be achieved?
Many thanks
Pete
#Pete,
What you're asking for is what is sometimes called "hijacking" the account.
There isn't currently a feature for that, but essentially what you need to do is:
1) destroy the current session
2) rebuild the session as the user you want to highjack
3) make sure the logged_in session variable is also set.
Passwords are all hashed, but I think it would be pretty straightforward to write a login function for yourself that doesn't go through the password hashing as part of the login steps.
In other words,
1) log out
2) look up the user id's username & password
3) login directly with that password, not a hashed version
Of course, you'll want to be very careful about your security
You need to alter the users_groups table adding a "status" field, in order to set true/false the current user_group.
Then, upgrade the model with a function that makes the following:
Get the current group and sets his status to false.
Get the new group and set his state to true.
Redirect to home page of selected group.
With this change, you can regenerate all the user`s data session and navigate as the selected user.