I have a system where SPA(React) and I use JWT auth(Node JS). How should I get the role on the Client side(like admin, operator etc) to understand which UI should be rendered(Admin/operator/client). In JWT Auth I see this example
Can I store my role for an each User in my DB table with pw and login or there is another option?
And how to protect routes for an each role?
Based on this documentation https://jwt.io/introduction/, I think you should add a field in the payload of your jwt, for exemple :
{
role: "admin"
}
{
role: "admin"
}
Okay I got it from doc, but it`s not a question I asked actually
Related
How are you guys , my problem that my flutter app is connected to mysql db , when the user is registered a string with the class name is saved to shared preferences and there is a wall to post some posts on it , is there any way to work with fcm bassed on the shared preferences string ? Like if the user has this string and posted let all users with the same string get notifications i hope i could make it more uderstandable but i dont know how ! Thanks
This sounds like a perfect use-case for using topics to target those messages. Step-wise:
Each device subscribes to the topic based on their class. If they can have multiple classes, they'd subscribe to all topics for those classes.
You then send the message to the correct topic for its class, and FCM will deliver it to all devices subscribed to that topic.
As usual, you will need to perform the actual send operation from a trusted environment, such as your development machine, a server you control, or Cloud Functions.
you will get the token id from the device which you can store to the user table so it will use while giving the notification to every device.
For getting the token :
_firebaseMessaging.getToken().then((String token) {
assert(token != null);
setState(() {
_homeScreenText = "Push Messaging token: $token";
});
print(_homeScreenText);
});
this token variable which you can store to the user table and use it while giving the notification to every device.
I want to add additional validation to allow the login, ie, not just check that the username and password match but do other validations on the user before allowing him to login.
I tried extending JWTTokenAuthenticator but it seems none of its methods are called during the login.
I thought of using a custom "AuthenticationSuccessHandler" but I'm not sure if this is the place I should do this and how could I report from there that the "login" is actually invalid.
Where should I put this logic?
I end up replacing the "login_form" authentication shown on the LexikJWTAuthenticationBundle bundle documentation for a custom guard authentication just for the login, i.e. different than the guard authentication used to validate the JWT tokens.
In the past, I had a similar requirement. Within the alternatives I chose to implement a custom user provider. Symfony documentation on custom user provider creation is more than enough to accomplish the task. Moreover, "Configuring the user provider" section of the LexikJwt documentation explains how to configure lexik_jwt accordingly.
Using feathers-authentication it is possible to authenticate a user using a configurable username field. At the moment, I can configure authentication to use either the username OR email fields of my user model, but I would like to offer both options username AND email to our users.
What would be the best way of doing this?
Apparently, it is possible to concatenate authentication methods so the solution should be something like:
app.configure(auth({ secret: 'super secret' }))
.configure(local()) // defaults usernameField to 'email'
.configure(local({ // support username
name: 'local-username',
usernameField: 'username'
}));
A more complete example can be found on GitHub: https://github.com/jaredhanson/passport-local/pull/148#issuecomment-261506180
When using the Object Storage GE node.js connector implementation from https://github.com/arvidkahl/fiware-object-storage we encounter the problem "no tenants available". We tested with two different community accounts where we first set up an object container within the fiware cloud.
We are able to Receive an Auth Token and get a connection established message, but then we do not get the tenant ID i think. has anyone experienced something like that and can help or give us a better understanding of what is going wrong here?
we installed the fiware-object-storage with npm install fiware-object-storage.
this is our connection code:
var fiwareObjectStorageConfig = {
auth : conf.fiware.auth_url, // IP of the Auth Services, likely "cloud.lab.fi-ware.org"
url : conf.fiware.object_storage_url, // IP of the Object Storage GE -> "cloud.lab.fi-ware.org"
user : conf.fiware.user, // Your FIWARE account email
password : conf.fiware.password, // Your FIWARE account password.. i know.. no comment.
container : conf.fiware.container // Whatever container you want to connect to
};
var fiwareObjectStorage = require('fiware-object-storage');
fios = fiwareObjectStorage(fiwareObjectStorageConfig);
fios.connectToObjectStorage(function() {
console.log(fios.getFileList());
});
This library is a third party library and it is not an official FIWARE implementation.
As you said, there is a problem with this library. I have tested and it needs some fixes. I could not reproduce your error with my account but I have another one while getting file list.
The best option is waiting for their developers to improve that simple library like select Tenant in config file. By now it takes the first tenant on the list.
This is my config file to access Spain2 object store:
fiwareObjectStorageConfig = {
url : '172.32.0.144',
auth : 'cloud.lab.fi-ware.org',
container : 'myContainer',
user : "", // Your FIWARE account email
password : "" // Your FIWARE account password.
};
in my html form there are two fields for password, one password and other confirm password. If the first password field does not match the second password field than do not submit the form to the database.
This is kind of a long shot since I don't know what your code looks like but this is a javascript example of disabling the submit button until passwords match.
var pass1 = document.getElementById('p1');
var pass2 = document.getElementById('p2');
if(pass1.value == pass2.value)
{
document.getElementById("enableButton").disabled = false;
}
else {
document.getElementById("enableButton").disabled = true;
}
Without knowing anything about your code - you should (could) do two things:
Verify that both passwords are the same via JavaScript on client side. That will bring up a better user-experience as you are able to display an error message / disable the form submission when the passwords are not the same. But please consider - many users still have disabled javascript by default, so that can not be the only validation.
Verify that the passwords are the same in PHP / Server-side code. How exactly you would achieve that depends on your scripting languages / architecture.
There are some in-depth discussions out there regarding password / authentication best-practices: this discussion or this cheat-sheet at owasp or this one in the php faq. Please take the security fundamentals mentioned there into account, too.