I currently have three websites all running from the same DB
example websites:
www.mysite.com
admin.mysite.com
members.mysite.com
now because this all runs from a single DB they all use the same .net Membership tables.
All members are in a role: Member
All Admins are in a role: Admin
So the admins can log into the admin site and access all their admin functions etc, but the members if they tried to log into the admin area are bounced back to the login screen without any message, what I want to happen is to redirect them to the site: members.mysite.com and have them logged in.
As I could send them to a page in the admin site that does a response.redirect('http://members.mysite.com'); but then they have to login again.
So is there any good way to do this, or am I left doing something unsecure and hacky with querystring?
Querystring is fine as long as you use a unique 'one time token' that gets deleted after it's used to perform the login (this is how Google does it).
EDIT - Basic procedure is
Generate a cryptographically secure token
Store token/username combo in database
Redirect to new site with ?token=XXXXXXXXXXXXXXXX
New site sees token, looks up matching username in database and deletes token
Perform login procedure as that user
Related
I am developing a small intranet to serve authenticated-only assets using Laravel 9. I install laravel:breeze in order to include login functionality and it works for users that register using breeze form in /register route.
I have an external database with the current users that I want to use instead of manually registering one by one.
Is there any approach for achieving this?
I have an app which uses another app for the users database. And it sure is using authenticate-by-id feature. Here how it goes:
A user opens MY_APP and is opening login url which prompt him/her to login using Gmail (might be different in your case)
MY_APP receives the Gmail account
Check the existence of the account in MY_APP database: authenticate it if exists, and proceed to the next step if otherwise
MY_APP checks the existence of the account in the USERS_DB_APP through an API
If the account is not exists, the login request will be denied
Otherwise:
Save the user record from USERS_DB_APP to my own MY_APP database
Then proceed authenticate the user using its just-created id
Your actual case might be different from this. But I hope it can gives you an insight to some level.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
An “Add Link” button is added to the page by JavaScript after the user is authenticated (sign in). The user clicks on the “Add Link” button which opens up a form (implementable by JavaScript) for the user to fill out and submit. When the form is submitted an Ajax request is sent to the server, the server stores the newly added link into a database. How are user privileges implemented in multi-user websites securely? Are they implemented on the client side or on the server side, or a combination of both?
A little of both, but generally speaking more on the server side. A user that authenticates might get a session ID key which they can store locally or else they are tracked by the server (presumably by IP address). That user has some permissions associated with their account in a database on the server. Those permissions are then read when the user attempts to perform a restricted action.
I've got a test MVC site set up, and configured to log users in to it using Facebook's authentication systems. Once users log out of my system, how do I ensure that the right thing happens wrt to the users being logged in to Facebook (ie, they revert to whatever state od logged in they were before visiting my site)?
I'm relying on the FB api wrappers that are available to download through NuGet.
Several of the examples I see include a facebook logout method that can be called through the API, to let FB know that user(s) have logged out of my site, which, I assume, is supposed to "do the right thing". However, the method seems to have been removed from the library (and from the API?).
Is there some other method I should be calling, in order for the "right thing" to happen? Or, alternatively, some sort of workaround that people use?
It sees a bit disingenuous to ask people to access my site with their FB logins, only to have them surreptitiously remain logged in to FB after they've logged out of my site.
Used workaround below (hand crafting a logout URL). Be careful of your url encoding
According to Facebook's developer TOS (item #6), you are required to log the user out of Facebook when the user logs out of your site (and used Facebook to login).
Consider the following use case:
A user accesses your site via a public computer (library) and opt to login (using facebook login) to access restricted features not available to users who are not logged in. The user conducts their business, then logs out. If you do not log them out of Facebook, their account is now available on the public computer, so if a new user uses the public computer after the initial user leaves, the new user could access the initial user's Facebook information.
Not sure about NuGet, but using Facebooks PHP SDK, you simply need to call Facebook's logout function which should generate a url with a next param, and access_token. So when the user clicks the logout link, they will be redirected to Facebook, logged out, then redirected back to your site to complete the logout process.
Example logout link:
https://www.facebook.com/logout.php?next=http%3a%2f%2fextapi.yourhost.com%2flogout&rd=http%3a%2f%2fyourhost.com%2flogout&access_token=AAACRZBIZAGE18BAEyQ8AcmRKGGtmeYlw4MFYjuDHfTlZBSZA3pZAJ5xnKABELBmkOroaxlDsoPgFVHPvvkfZAFRQarCRL0Fhy7UrZCAZAfRFtvwBo4lY4s4X
Explained:
next: This is the link the user will be redirected to after they are logged out of Facebook (this will be the domain you have registered with Facebook)
rd: This is an arbitrary url param so when the user is redirected back to my site, I can redirect them back to another landing page (other than logout page).
access_token: Is the access_token generated by Facebook when you logged the user in