I want to set the Authorization header in my websocket request to send a token.
I have found no native ways to do so (I settled for passing a token in the query parameters). I see that socket.io provides this functionality (altough I have not tryed it) and I'm wondering how it works under the hood
As a work around I use express-session, with express-socket.io-session (https://www.npmjs.com/package/express-socket.io-session)
This way I found it is easy to set an identifier when a user logs in.
p.s. all the methods in express-session docs, are available to you in express-socket.io-session.
Related
There is need to send from my SP to IdP SAML AthnRequest over HTTP-POST and HTTP-Redirect is not allowed.
Good package is aacotroneo/laravel-saml2 but it does not support HTTP-POST.
simplesamlphp/simplesamlphp is popular but it is a mess to use.
What library to use for proper SAML integration in Laravel that supports HTTP-POST requests to IdP?
With some effort you should be able to modify https://github.com/aacotroneo/laravel-saml2 to send AuthNRequest using HTTP-POST.
Instead use directly the login method of php-saml that you can find here
https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Auth.php#L428
you can execute the code described there and do a POST instead of a GET, if you need to support signature, you will need to embed it.
The alternatives is https://github.com/KnightSwarm/laravel-saml
https://packalyst.com/packages/package/aherstein/laravel-saml2-post is the library that has been forked from aacotroneo/laravel-saml2 and modified to send POST requests.
I am making a VueJS app with a Laravel backend. I see Laravel has Passport which is used to authenticate/authorize APIs. (Sincerely I have not yet succeeded in integrating Passport. I have not understood where the starting point is. Will post that question separately).
I have done a lot of searching and still have not found the best/easiest way of doing authentication and authorization, and also interface control depending on permission. (I know "best" is subjective but basically means a method that is easy to integrate, understand and use).
Anyone who has been there and used one that worked really well?
I generally use JSON Web Tokens for my web and mobile apps. It's simpler to set up than Oauth and is a better fit for many applications.
Basically, the user sends a POST request containing their authentication details to the appropriate endpoint and receives a token in response. The user can then include that token in the Authorization header of future requests to authenticate them.
The token also includes a timestamp for when it expires, and it can be decoded on the client side so that an application can refresh the token before it expires.
There's an excellent implementation of JWT for Laravel which I use all the time and can highly recommend. There are also client-side libraries for handling JWT with pretty much every framework under the sun.
#MatthewDaly, I followed your recommendation and I stumbled on a VueJs-Laravel JWT implementation here: http://jimfrenette.com/2016/11/laravel-vuejs2-jwt-auth/
I followed through the Tutorial and was able to make it work for my case. (Caveat: The post is slightly old (using Laravel 5.2), but with good understanding of Vue and Laravel, you can be able to follow and implement it easily).
I'm currently running into a lot of issues with the CSRF token.
Our current setup is a Ruby API and an Angular front-end, both live on a different domain.
The Ruby back-end solely serves as an API for the front-end.
I've spend a lot of time researching this problem, but I can't find a proper solution.
So far the solutions I've found are:
Generate the token and insert it into the DOM (Different domains, so can't do that)
Let the API return the CSRF token on a GET request (Doesn't seem to work, and it's not a good solution since I don't want to make an extra request just to get the token)
So I'm rather stuck here and not sure how to continue.
Is the current implementation just not working? How do other people create an API with oauth without running into this issue?
Not sure if this will help but here is a sample of a simple todo api in ruby with angular as frontend, and i am using token for authentication generated after the user fills username and password.
https://github.com/sirfilip/todoapi/blob/master/app.rb (the api written in sinatra and sequel)
https://github.com/sirfilip/todoapiclient/blob/master/public/js/angular-todoapi-plugin.js (angular client api service that is used for communication with the api)
TL;DR: Secure your rails API with the doorkeeper gem.
This SO post seems to be the accepted answer when your api and client exist on the same domain.
In the post they outline the angularJS docs http://docs.angularjs.org/api/ng.$http :
Since only JavaScript that runs on your domain could read the cookie,
your server can be assured that the XHR came from JavaScript running
on your domain.
To take advantage of this (CSRF Protection), your server needs to set
a token in a JavaScript readable session cookie called XSRF-TOKEN on
first HTTP GET request. On subsequent non-GET requests the server can
verify that the cookie matches X-XSRF-TOKEN HTTP header
It seems that the security of storing and transferring the XSRF-TOKEN session cookie in this way hinges on having your api and your front-end be in the same domain. Since this is not the case, you may have to implement another form of authorization for any given client session, like OAUTH. I'd recommend taking a look at the doorkeeper gem. The gem will give you the ability to interact with your api as if you were any other client.
New to AngularJS, and trying to hit a web service with basic auth using either $http or $resource. I haven't written any services or directives and basically just trying to do a call in my controller. Initially I prepended my url with the user/pw separated by an '#' symbol and I also have a callback that does a console out on the returned payload. Now I'm trying to change the $http.defaults.headers.common['Authorization'], but I feel like I should be using $resources. Any assistance on how to do basic auth with $resource (or $http) would be greatly appreciated. Thanks.
$resources is a higher level abstraction that utilizes $http, so regardless of which one you choose to use, adding the Authorization header is a valid solution. Head over to the angular $http docs for information on how to do that.
If you're doing anything more than hard coding a user/password into your application, you might want to take a look at response interceptors as a way to catch 401s and have your user log in. I've studied this blog post in the past when I was looking for a way to build fluid authentication into my app. I'd definitely recommend it if you're thinking about going down that path.
I am designing a web api. I need to let the user authenticate themselves. I am a little hesistant to let the user pass in their username/password in cleartext.. something like: api.mysite.com/auth.php?user=x&pass=y
Another option i read about was Base64 encoding the username/password and then sending a HTTP request. So does that mean that on the server side;I would _GET['user'] and _GET['password'] and then somehow decode them?
Is that what twitter does: http://apiwiki.twitter.com/REST+API+Documentation#Authentication ?
Base64 is no protection at all. Use SSL for real security.
As mentioned by truppo, first use SSL.
What many web services do is have an "authenticate" service that returns a token that is then used later, and can be used in plaintext, since it's only valid for a limited amount of time. When it expires, the client simply does another authenticate.
The key benefit of this is that it reduces the number of SSL requests, which lightens the load on the server.
Just this week the IETF published a new draft discussing security properties of the various authentication mechanisms in HTTP. You should find helpful information there.
Personally I'd recommend at least to read about digest authentication and analyze if that's suitable for you.
Using SSL might also be an option. However, it also addresses additional issues at the expense of performance, cachability and others. It keeps the payload data confidential. If this is a requirement, then it's your way to go.
If this is a webservice, you'd better use more secure form of authentication. Look for example, at the LiveJournal protocol: Challenge-Response.
Please do not use regular usename/password authentication for the api. People really shouldn't be forced to put credentials from foreign services in a mashup service.
Please consider using oauth http://oauth.net/ or at least some challenge-response based system, like Eugene suggested.
One easy way would be to let the guest-service generate a token which is connected to his app and a user. If you put in some work you could even make the tokencreation secure to have only allowed foreign services with some private/public-key mechanisms.
The user has to authorize this token in your app before the guest service can use it to get authenticated.
I've found this article eye-opening.
In short: use a pair of API keys per user. One is for client authentication, one for parameters signing.