Hand off a JWT from Web App to Chrome Extension securely? - google-chrome

Our situation: A Firebase web app does authentication via Twitter, also allows for token-authenticated calls to cloud functions that store data for a given user. We need a way to get information in the context of an arbitrary URL in the browser into that app with the currently logged-in user – much like the Read-It-Later/Pocket extension.
The JWT token via currentUser.getIdToken would be everything we need to authenticate calls from the Extension. Also, having users log in again inside the Extension, even if they're already authenticated inside the Web App isn't the best experience. Is there a secure way to communicate that token from our app domain to the Extension? Thank you!
Edit: We explored the possibility to set the JWT as a cookie and then read that cookie from the Extension. This works, extremely practical and simple. However, that cookie is naturally also susceptible to xss attacks.
Edit: Nice! Setting the cookie to "Secure", "HTTP Only" and "Host only" and accessing it via chrome.cookie still works! The cookie should be fairly secure and immune to scripting attacks now. Or are we missing something?

Related

Log-in to an external site from Gmail Addon

First of all, sorry for my bad English :)
I am building a Gmail addon which integrates file uploading to an external website using their API. The API have an auth endpoint which uses plain authorization flow i.e. takes email and password of a user to authorize and return authorization token. That token is then used in the subsequent call of file uploading process.
My question is, it has been mentioned in gmail addon guide that an app should use oAuth when connecting to a third-party service. However, the related website's API do not have oAuth but use plain authorization flow. If I create a login form with email and password fields using the card service, would that be okay and approved by google to be listed in the addons directory? Creating oAuth on third party service is not in my hands
Thank you!
Q: would that be okay and approved?
My experience is that it is OK to use basic authentication (since a lot of APIs still use basic auth, it would be devastating if the use of API was prohibited), most likely you will be approved. However, if there ever be a version of the API that supports OAuth, please, migrate as soon as possible.
Caveats
You mentioned creating a login form in CardService - please, be aware that there are no "password"-style TextInputs, so all characters will be visible all the time + there isn't, as of yet, any support for input event, so you won't be able to emulate the behaviour easily.
If you are planning on storing the credentials, try to avoid using PropertiesService - it isn't considered a secure storage (though if credentials are to be entered only once, storing the token should be fine).
You will still be asked to implement the authorizationCheckFunction.

Is possible to create a JSON RESTful OAuth2 server?

The part where user needs to enter their creds can also be shown if the client app redirects to a stateless static page alongwith the some params, that belongs to the oauth-server.com domain so that no other app has access to username and pwd.
After POST -ing this form to oauth-server.com, Is there a way to redirect the user back to the client app without the oauth-server redirecting via a browser session? Is there a json restful mechanism to OAUTH2?
So to answer your question, redirect_uri exists for the sole purpose of letting the client app(web, iOS or android) know status of the authentication request.
And OAuth2 server cannot do anything other than redirecting, because where the server will redirect to? (which is what redirect_uri anyways).
Refer the following articles for best practices to redirect data to installed / mobile client app
https://developers.google.com/identity/protocols/OAuth2InstalledApp
specifically this section,
https://developers.google.com/identity/protocols/OAuth2InstalledApp#choosingredirecturi
Hope that helps!

Node.js security

I am building a basic app using node.js and mysql and just getting a hang of it, I would like to secure the api,like only allow certain people to access the data, maybe by passing a certain token each time a user requests for some information, I tried searching for certain tutorials which used node.js and mysql database and security, I am confused as to which security measure to use, I even read about Json Web Tokens but din't find a proper tutorial for that.Please point me in the right direction.
EDIT
What I meant to say was, only authenticated users are allowed to get access to data in the api, when a random visitor tries to access a URL he shouldnt be alowed to without proper authentication,what I am mostly looking for now is when a user is authenticated the user should be a sent a token of some sort so then gets access to private data,I don't exactly know how to go about this whole thing.Would be glad if you could clear it up for me.
I would look at implementing Oauth2 server in your app. I found this article useful:
http://blog.papersapp.com/oauth-server-in-node-js/
No sure what your exact question is about, but I think the below will help:
Node.js security tips: http://blog.risingstack.com/node-js-security-tips/
Secure Express apps with various HTTP headers: https://github.com/helmetjs/helmet
Go on an educational Web security adventure: https://github.com/toolness/security-adventure
Node.js Security presentation: http://www.slideshare.net/d0cent/nodejs-security?qid=c450507b-e491-4e9a-9b05-89d0c82ea10b&v=default&b=&from_search=6
Take a look at http://passportjs.org/ . Passport has support for alot of authentication methods, however, for your API, you will probably want to use OAuth (http://passportjs.org/docs/oauth2-api). OAuth is what most popular APIs use to authenticate consumers.
For simple projects, You can also use basic authentication, which is what you see when you see the browser prompt asking for username and password. This authentication information can be sent in the header when API consumers makes requests.

"client secrets" that aren't & open source

According to the Google Drive documentation, an application needs a so-called "client secret" in order to interact with the Google Drive SDK -- even if, as in the case of a client-side JavaScript app, the code is plain for all to see. (Of course, it's not really that much safer in any other client-side code, it just makes for a bit more work to find the "secret"...)
So, um:
How is it okay to distribute these "secrets" inside applications?
Is there any reason why that logic wouldn't apply to open source computer programs?
BONUS: Wouldn't it make more sense to just use user-based authentication for such apps, without pretending to authenticate the app as being a specific app?
Whilst it's true that a Client Secret is generated for all apps that consume Google services, the Client Secret is never used by a browser/javascript app. Typically a browser-app (I use the phrase "browser-app" instead of "Javascript app" because a server node.js app is also using Javascript) would authenticate and authorize using the gapi library described here https://developers.google.com/api-client-library/javascript/reference/referencedocs#gapiauthauthorize. As you can see, Client Secret is never used.
So, picking out your questions ...
It isn't OK, don't do it, no need, see above.
See 1
You're conflating authenticating the user with authenticating the app. Both are needed, each for different purposes. In the case of a browser app, the authentication is done using a combination of the client ID, verified against the http origin (which the developer has previously declared to Google). Once the app is authenticated, we can then move on to authenticate the user by leveraging the OAuth authorization mechanism in conjunction with an extant Google session.

Box API Login issue

how to make a login call using the Box API methods in my webservice?
I can only see a URL, that redirects to a Box login Page, where user needs to endter username and password, but this I need this as a webservice call.
Does anyone have done it usig API ?
Regards Sathish
You can find the full details here, but in short, you can set a callback URL for your app at http://www.box.com/developers/services that Box will send the authentication token to. You can set up your web service to receive the token there.
The way Box's authentication flow is designed is to prevent the need for users to provide 3rd parties (you in this case) with their credentials. The fact that there is no mechanism to authenticate a user by passing their credentials through a web service call is deliberate, and there is no straightforward work around I'm aware of (especially no such workaround that would be consistent with the terms of use of their API).
http://developers.box.com/get-started/#authenticating
There is a new authentication mechanism they have in the pipeline which will allow you to authenticate to a sandboxed folder for your application using a much simpler process. This is currently in private beta. This might fit the needs of what you are looking for once it is available.
http://developers.box.com/docs/#tokens