Using GAE with Python for this project.
I am creating a page with a chart of statistics that updates(refreshes) itself (every 10 sec) using AJAX. It is my first time using AJAX.
What I am thinking is, that I should create a private page that will give the needed information for the statistics chart. Then I simply get the info using AJAX.
Is that the way to go about it? If so how do I make a private page in GAE, I don't want users to be able to go to that page.. Thanks
What are the security concerns for a production quality application?
AJAX is simply Javascript sending HTTP requests. From a server point of view, there is no way to differentiate between user requests and Javascript requests. So there is no such thing as "private page".
You can simply require a login for your private page and your AJAX handler and set the login level to admin. You may require a login for one or more Urls.
Edit
Set login: required, which will require users to login via their Google Accounts, but still all users with Google Accounts will be able to access it. Then in the AJAX handler check if the user is one of the users that you have given access to: https://developers.google.com/appengine/docs/python/users/
Related
I have created an application with Laravel 7 that contains users that can log in.
In parallel, I create a showcase site for the application (another domain) and essentially html/css.
I would like on this showcase site to propose login and registration buttons if there is no user connected to the laravel.Otherwise I would just like to propose a "Dashboard" button if a user is connected to the Laravel application.
How to do that? I confess that I'm a bit lost. Thanks for your help.
You need to create an API on the laravel app which will be used by the "showcase site".
To login and authorize themselves you can use JWT
to keep user data and use it on the showcase site you can either save them in
localstorage (just be careful not to save any sensitive data there as people can take that information in case of XSS vulnerable)
indexdb
cookies
None of these methods are safe. They can be exploited using XSS so i advice on using JWT to secure sensitive data.
I have a progressive web appliacation. on the home page i have a loging modal. If a user logs in the application reloads and now instead of the login button the server renders the user profile. now the problem am experiencing is that when i implemented the pwa, It caches the homepage and everything in it so the new page from the server is not rendered after the user logs in.
My application backend is in Nodejs(REST API) and is use javascript to consume the api but i use ejs to render the pages. How can i solve this?. For now i decided not to cache the homepage where i have the login modal. After doing this i realized the application is now not meeting PWA installation requirements.
You can cache everything in the service worker.
When you need to display different content for an authenticated user vs unauthenticated user you can render that as needed either in the UI code or even in the service worker.
A common example would be to show/hide the login, logout and profile link in the header. This is all doable with a few lines of code as the page is loaded.
These examples are mostly classList.[add|remove|toggle]. The profile might use a simple template and setting the innerHTML of a wrapper.
It is not that complicated in the end, I do this all the time for applications.
It sounds like you shouldn't configure your service worker to cache your normal HTML. Instead, you can use a service worker that will always go to the network when online, and will display custom "Sorry, you're offline" HTML when there's a navigation request that fails.
Here's a live example of following this pattern:
https://googlechrome.github.io/samples/service-worker/custom-offline-page/
Doing this will is sufficient to meet the "add to homescreen" PWA installation requirements.
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
I am wanting to build an admin tool where I can "impersonate" users of my site, without having to lose my session as an admin.
I would like to be able to open an iframe that will view the website "as the user", without changing the state of the page that opened the iframe.
Is that possible? Is there a better way to do this?
It's possible, but there's a bit "but" :)
Just a couple options to start with:
Use URL-based session tokens (as Java Servlets do when you have cookies disabled)
Use different domains for "normal" site and admin interface
iframe itself won't help you much: it will always share its cookies with the browser. So in order to avoid that, you can use either of the above options—but that does not depend on the iframe.
What language? My answer is based on the assumption that PHP is your chosen language.
Firstly, I would say you have planned your application wrong if session impersonation is the only way you can view your site as another user while still keeping your admin login intact.
One way you could do it, and again this is assuming that you are using PHP as well as the default session management functions within and you do not have a custom session handler would be to load the iframe url with the ?PHPSESSID=sessionidhere parameter.
A better way to do this is to create your site and authenticate users via a user object of sorts and then add some sort of url parameter such as ?userbrowseid=123
Then when you load the page, your code will only check if the parameter exists if you are already logged in as an admin. The page would then overwrite your current user object with the user object of the user with the id 123. Steps should be taken to make sure your session cookies are not overwridden with the impersonated user object. As this would be in an iframe, your site will work as an admin and the iframe will be loaded as the user object.
I need to write events to the external database when users logging into SharePoint - username and datetime nothing else.
I use Claims authentication(Windows and forms) and standard login page.
I need to retrieve IIS logs or is there any easier way?
Thanks in advance, Chris
I would create my own login page. There is a good article here that describes how to do this. Include a method in your custom page to override the submit event for the page. You will have to handle the authentication logic, but once the user is authenticated, you can call your external system to log the information.
Note that the custom login page is defined for the entire web application. Any other site collections on this web application will get this same login when authenticating.