I am developing a family of utility apps where each app could be available on desktop, mobile and the web. After some research I decided to go with pouchdb on the client and couchdb on the server to provide offline sync.
A user would be able to create an account on the web (A Laravel Spark app) to manage their app subscriptions/payments and also access the web versions of the apps. On mobile and desktop the user would sign into each app using their credentials to unlock functionality.
I am planning on taking a database per user approach in couchdb with filtered replication (based on the app the files belong to). The basic requirement is for the user can sign in once in the apps and then securely replicate to couchdb forevermore (until sign out).
What would be the best approach to take for authentication with couchdb given the use case outlined below?
Proxy all requests via Laravel for authentication
On account creation in the Laravel app create a couchdb user with a randomly generated password and when the user signs in on the app return this password authenticate future requests (are there limits on the number of users created)?
Use the Laravel app as an oauth server and make requests to couchdb direct using an oauth token.
Something else?
In the end I found the best approach to proxy all requests to CouchDB through Laravel, utilising the Passport package for API authentication.
To do this I hooked into the Spark::createUsersWith() function in the SparkServiceProvider to set up a CouchDB database on user registration via the following steps:
Generate a couchdb specific username and save it in the user record.
Create a couchdb database with the same name as that generated in step 1.
Add a design document to the database with a filter for app specific syncing.
Add a security document to only allow read/writes from the database owner (created in subsequent step).
Create a CouchDB user with the username generated in step 1.
The user can then log into the app using their username and password to receive an OAuth2 password grant token.
All syncing requests are then made with the auth token to my sync proxy controller detailed in this gist.
To save a search PouchDB can be set up to send the OAuth token automatically as follows:
this._remoteDB = new PouchDB(url, {
ajax : {
headers : {
"Authorization" : "Bearer " + localStorage.getItem("token")
}
}
});
Related
I'm working on a web application that uses OpenId authentication. Let's assume that the application essentially serves to store metadata and its associated files (docx, pdf). The Web Application is for internal use and is not exposed to public network, only users of the organization have access.
Recently, a requirement has arisen to be able to share files with users external to the organization. External users will use a PORTAL (third-party application) which, through a URL generated by the Web Application that points to the PORTAL, will have access to the file. This PORTAL uses OpenId authentication and invokes a Web Application API to retrieve the file.
Initially, the proposed solution was:
Web Application - Send EMAIL to the external user and create a user in Keycloak with Email to authenticate later on the PORTAL (Is this really necessary?! Biggest doubt).
The external user accesses the PORTAL with the URL received and authenticates with the user created by the Web Application on Keycloak.
Once authenticated on PORTAL, a WebApplication API is invoked to obtain the file.
The main question is whether the Web Application should manage the creation/editing/deleting of external users on Keycloak. Does the Web Application need to create users in Keycloak? Is there another way to accomplish this without compromising security?
Thanks in advance.
To share a file with restricted access, there are two approaches:
Open access with signed links: Create a signed URL using a web API and share it with external users. The link can be a static URL with an encrypted key, or a JWT signed token in base64 form generated by the web API. When the portal receives a request, it checks the validity of the token, retrieves the file location from the token, and allows access.
Email-restricted access: If you want to guarantee access only to the person with email xxx#abc.com, you'll need to use a challenge, which is typically a login. You can either create users on the fly after login (if the external users come from a partner with OIDC capability), or pre-create the users if this is not the case.
Note: You cannot rely solely on a URL with an email claim as proof of access, as the link may have been forwarded to someone else.
I'm working on a Laravel site where users could connect their Google account and manage their Google calendars directly from within the site. I found https://github.com/spatie/laravel-google-calendar but I'm not sure that it really meets my needs.
That package doesn't seem to follow the authentication flow (OAuth 2) I'm used to with other APIs. It uses service accounts and stores credentials in JSON files where I usually save access and refresh tokens in my users table.
So am I missing something or is that package not made for that kind of site ?
I have API backend and it will be consumed by different consumers like our own company website and even other website can use our API with certain quota/limitation and for this scope management we will be using express-gateway(eg), however this is not the only reason I am using express-gateway(eg). Now coming to my problem/miss-understanding, for our own website we can create api-key and user credentials using eg command. But for the other user who wishes to use our api, I don’t want them to contact me for this integration, rather they should be able to create a user credentials and API key themselves using some facility (let us call it key management) provided by us. Here I am stuck how to give a web platform or any other mechanism where a user can create account and then create api-key for their own website. I was thinking to extend the express-gateway app itself and create page where a website owner can fill the form with various input field that will serve as parameter for eg command and I can trigger eg command in node console and create credentials and save it in redis database and then fetch those information to show it to user as their use rid and api-key. But I want to know the best way how others are doing, like how google, twitter and many more are allowing to create api-key, delete key and regenerate the api-key on compromise. Some suggestion would be to use third party tool to manage user-credentials, I will have little inertia to accept that, even if I do so how will I hook those third-party solution to my express-gateway.
In general, API gateways and authentication servers are independent, or at least loosely-coupled. The typical workflow is:
A user browses to the Create Account page for a service.
The user creates an account with the authentication server
The user makes a request through the API gateway
The API gateway checks with the authentication server whether the operation is allowed, discarding it if the user is not authorized to perform the requested action
The API gateway dispatches the request to the appropriate server
The receiving server checks whether the user is permitted to perform the action (in case the API gateway has been compromised)
Express Gateway includes its own authentication server for convenience, but the steps are basically the same. The difference is that one uses the Express Gateway Admin API to create the user and credentials rather than going to a different server.
Note that Express Gateway and its default account database (reddis) are not persistent out of the box.
I've found plenty of information on implementing Oauth2 using a user authorization step, but I'm trying to run a container that automatically scrapes a gmail inbox for attachments transforms them, and exports to prometheus, and I'm having trouble figuring out how to implement this library: https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config or any other for that matter to retrieve a token without involving a manual user step.
Will doing this in Go require writing direct API calls since I can't find an existing library to handle this scenario? Would it make more sense to create a Google App password and use generic user/pass SMTP authentication?
First off i understand what you are trying to do.
You have a backend system running in a container which will access a single gmail account and process the emails.
Now you need to understand the limitations of the API you are working with.
There are two types of authorization used to access private user data
service account - server to server interaction only works with workspace domains. No authorization popup required.
Oauth2 - authorize normal user gmail accounts, requires user interaction to authorize the consent screen
If you do not have a workspace account and this is a normal gmail user then you have no choice you must use Oauth2, which will require that a user authorize the application at least once.
Using Oauth2 you can request offline access and receive a refresh token which you can use to request new access tokens when ever you wish. The catch is that your application will need to be in production and verified, because your refresh token will only work for seven days and then it will expire. To fix this and get a refresh token that does not expire means that your application must in production and verified. This means you need to go though Googles verification process with a restricted gmail scope which requires third party security check and costs between 15k - 75k depending upon your application.
I understand that this is a single user system but that does not mean that you still need to go though verification. When google added the need for application verification they did not take into account single user systems like yours.
Option
Have you considered going directly though the SMPT server instead of using the Gmail api? If you use an apps password you should bypass everything by loging in using the login and the apps password.
I want to build a web application in Go. I'm using Google App Engine for deployment combined with Identity Aware Proxy (IAP) to authenticate user access.
I want to know how to access the authentication to get the user email, which I can link to app data stored in a back end database. Essentially I want to avoid my users logging in and then having to authenticate again to get their profiles from the back end.
I have looked into the IAP documentation and I can see it uses JWT Headers and that is where my knowledge lacks. My guess would be a link to the incoming request which accesses those headers to get the email.