Zend : Block Access via URL - session

I have in my first ZF1 application two controllers : AuthController et ProductController.
My code for the authentication work perfectly by using Zend_Auth.
But the user still can access in the application in the browser without authentication. For example if the user enter :
http://localhost/apptest/public/product/action
he can access directly. Must I use Zend_Session or Zend_Acl to block access if the user is not login?
Thanks.

Zend_Auth is concerned only with authentication and not with authorization. Authentication is loosely defined as determining whether an entity actually is what it purports to be (i.e., identification), based on some set of credentials. Authorization, the process of deciding whether to allow an entity access to, or to perform operations upon, other entities is outside the scope of Zend_Auth. For more information about authorization and access control with Zend Framework, please see Zend_Acl.

Related

Restrict access to All ASP.NET Web API EndPoint except few for a specific Scope

I've an ASP.NET Web API with 100+ endpoints. Authentication is done using Identity Server JWT token. and the Web API is trusting a scope say "User". "User" scope will basically give full access to the user on all the end points. so no Athorization is necessary.
Now, there is a requirement to introduce a new scope say "LimitedAccessUser" which should have rights on just one endpoint. User with "LimitedAccessUser" scope shouldn't be able to call the other endpoints. I really don't want to go to all the other endpoints and force them to have "User" scope which will prevent "LimitedAccessUser" from calling those endpoints.
Is there any better way around this?

Laravel Passport CreateFreshApiToken middleware vs web middleware

If i understand right, the CreateFreshApiToken-middleware uses a cookie-based authentication mechanism (https://laravel.com/docs/8.x/passport#consuming-your-api-with-javascript). Accordingly the use of csrf-protection makes sense.
What exactly is the difference between using the CreateFreshApiToken-middleware or simply accessing my API through the web-middleware, since both seem to be stateful.
In my scenario im working on a laravel-module (https://nwidart.com/laravel-modules/v6/introduction) which is supposed to be a REST-API. This API can only be accessed by authenticated user and also consumes user informations. The main module/platform uses a normal web authentication through a login form. The user informations are stored in the main module/platform.
What would be the best way to implement the REST-API module stateless (based on the authentication) and without interfering with the web-authentication which is used by the main module.
Should i considere making the API not restful?

How to access a secured API in the frontend?

There is a lot of good content on the internet that explains how to secure a Spring API with Keycloak: Create a Client that represents the API Service in Keycloak and use a link like the one below to get the access and refresh token:
<Domain>/auth/realms/<realm>/protocol/openid-connect/auth/{some parameters}
This yields both tokens. So far so good.
Now, however, I am not sure how the flow for the frontend accessing the API should look like.
Should the frontend directly access this endpoint and, therefore, obtain the access and refresh token? That would mean that the API can only have the access-type public because there is no way to store the client (the API) secret securely.
Or should there be a third server that somehow stores the refresh token for each user, that the user can call if his access token is no longer valid. This server would then use the client's refresh token (and the client secret that could be stored securely, since it would be in the backend) to get a new access token from Keycloak and would forward it to the user.
I guess the main question that I am asking is, whether the client/user should get the refresh token.
If one needs to implement a logic according to the second option, I would be interested in a link or description of how something like this can be done in Spring.
I think, in either case you need to use the Authorization Code Flow. The implicit flow, which was recommended for SPAs (frontends without a backend server) in former versions of OAuth2 must not be used anymore.
The best option is to have a backend server, so the user retrieves the auth code via redirection and the backend server exchanges this auth code with the access and refresh tokens (and keep them without forwarding them to the frontend).
If there is no backend in place and your frontend needs to retrieve and hold the tokens directly, I would recommend to use the Authorization Code Flow with a public client and the PKCE extension (which - put simply - ensures that the entity asking for the auth code is the same as the entity asking for the tokens and that the auth code was not stolen and used by a foreign entity). There are several sources with more detailed explanations, which might help you, for example: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce
Hope this helps you with your architectural considerations.

Gin-Gonic Restricting Routes

My webapp has means of abuse, users can access things they're not supposed to, such as 127.0.0.1/users/1 & 127.0.0.1/users/2 & 127.0.0.1/users/3 and so on, within these it reveals the user's registration email, ip, etc (via JSON, so the web server can return customized messages, greetings, and allow users to edit account data within profile settings)
This is what my route looks like:
forum.GET("/users/:user_id", routeFunc(UsersGET))
I'm using Gin-Gonic HTTP framework to create a dummy forum, can someone tell me how to stop users from accessing the /users/ route whilst allowing the actual web server to use freely? and maybe link me to the correct direction. Thanks!
(The server uses it to return things like, Welcome Back, USERNAME).
You need to add authentication and authorization to your server.
Authentication is where a user will prove their identity to you by means of a shared secret (like a password hash) and authorization is where you check if that authenticated user is allowed to take the action they are trying to make.
There are many third party services that might help you with this (e.g. Auth0) where they can handle authentication for you and provide you with libraries for authorization.
Usually people bind authentication into their Gin-Gonic server by means of middleware (e.g. gin-jwt) which is run in front of every http request. Once that middleware authenticates the user, you can add some logic to your handle that states only users can only view themselves.
Hope this helps. Good luck.

Programmatic authentication

I am using Spring Security in my application.
I have all the pages secured. But couple of URL needs to be available both for system user and anonymous user.
But anonymous user should not have direct access to the URLs. He gets a link with unique token and gets access to some URLS if this token is valid.
What I want to do is:
In controller check if token in URL is valid
If it is - authenticate user in the system programmatically using some predefined login and password. This user will be configured to have authority to access necessary URLs.
The question is:
Is this a correct approach to perform user authentication programatically with some roles in controller if token is valid? Is this safe approach?
Security is an aspect. An aspect can be decoupled from your main code (controller) to reduce code duplication and improve flexibility. Move authentication code from controller to new filter (be sure that this filter executed after spring security filter chain). You will be able secure new URLs via web.xml (zero lines of code).
I think the better way to do this is:
move the shared operations into service layer
define a controller for those anonymous user and make its authority
as anonymous
check the validity of token in this controller
if valid, call some services method to perform the operations.
render the result in this controller

Resources