I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
Related
I am working for implementing a spring-boot based shopping application, where a feature exist called ‘add to cart’ for product which works when users is only logged in. Meaning spring-boot back-end creates session when user logged in to make mapping to cart object.
I am trying to implementing a features like real world shopping application like amazon, where product can be added into ‘cart’ even user is not logged in. Then after user log-in user session can be managed / merged with previous non-logged user.
Can some please give me any typical design pattern idea in details or book reference or tutorial link where I can get details idea about such kind of implementation.
If user is anonymous, I would save cart on server and save cart ID in browser using a persistent cookie. When user logs in, server can retrieve the anonymous cart from its ID. Alternatively, you could store full cart in cookie.
I have created an application with Laravel 7 that contains users that can log in.
In parallel, I create a showcase site for the application (another domain) and essentially html/css.
I would like on this showcase site to propose login and registration buttons if there is no user connected to the laravel.Otherwise I would just like to propose a "Dashboard" button if a user is connected to the Laravel application.
How to do that? I confess that I'm a bit lost. Thanks for your help.
You need to create an API on the laravel app which will be used by the "showcase site".
To login and authorize themselves you can use JWT
to keep user data and use it on the showcase site you can either save them in
localstorage (just be careful not to save any sensitive data there as people can take that information in case of XSS vulnerable)
indexdb
cookies
None of these methods are safe. They can be exploited using XSS so i advice on using JWT to secure sensitive data.
We are building a finance app and integration Yodlee in it and we have come to situation where we need user's loging.
Now we have two scenarion,
Ask user to login & use token for API call. But as userSessionToken expires after every 30 minutes, we need to open yodlee login screen.
We can register yodlee user when any user sign-up on our site and use his credential from back-end to get yodlee userSessionToken
Scenario 2 has data protecting issue. Is there any way where we can get new token with a single user login.
Please suggest me if there is any alternative way.
You should use second approach, as you don't want user to register twice.
Once user registers to your site you should internally call register3 API to register that user with Yodlee. There is no data protecting issue, unless you don't have required security standards in place.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I'm working on a shopping cart and facing an issue with FOSuserBundle registration flow :
My users can add whatever they want to their cart, being or not logged/registered, but before checking out, i want them to login/register.
The main important thing is that I want after login/registration they can get back the same shopping cart they had before. To achieve it, i'm saving into the user session a random key and i'm saving this random key in the database with all articles data.
I hava no problem with the login flow, the session is kept without any change (symfony preserves all session data), so the user retrieves his session, but my problem is with registration.
When the user wants to checkout and have not an account yet, he needs to register, and when the registration is complete (with FosuserBundle, sending an activation link by mail) the user session is completely resetted so the shopping cart is lost but has not really disappeared : Actually, a weird thing i observed is that the browser seems to deal with 2 different sessions at the same time but in 2 separate tabs, in the old browser tab (before registration), data is still here, but in the new tab the session is cleared
So my question is, is there a way to give back a user his session after a successful registration in Symfony2.1 and while using FosUserBundle?
Thank you in advance
My security config file was the cause
I had to set the option session_fixation_strategy to "migrate", that now works perfectly, thanks
Login/Logout is handled by symfony's 2 security component while registration is handled by FosUserBundle.
You can try to override the registration handler https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/overriding_controllers.md and migrate your old session: http://symfony.com/doc/current/components/http_foundation/sessions.html#session-api