I can't manage to block user's creation using FeatherJS.
I want only authentified users to create a new user.
I've tried a before hook :
create: [
auth.verifyToken(),
auth.hashPassword(),
gravatar()],
I've tried to use :
all: [
auth.verifyToken(),
auth.populateUser(),
auth.restrictToAuthenticated()
],
but I still can access to the signup.html page (I think that is normal because the route is not "blocked") and I still can create a valid new user (that is not normal I think).
Of course, I'm new to FeathersJS...
What you are doing is correct. The issue is that the user creation from the demo is using a middleware and .create is called from that middleware so the actual call looks like it comes from the server itself. You have two options. Either removing the middleware and moving the new user creation to the client (this is what we will change the new guides to as well) or upgrading to feathers-authentication 1.0 and protecting the endpoint with the new authenticate middleware.
Related
there are websites which create custom sessions for users, giving them unique link to the exact session user has created. E.g. it would like something like https/website.com/session/UniqueRandomID. I guess I understand how custom routes in ExpressJS work, but I'm not quite sure how can I allow a user to create those and later allow other users to connect only to those which have been already created..
Is there a common way of doing it and what may I be missing on the topic?
I tried searching the expressJS documentation.
The term "session" has a rather specific meaning in web site development (it refers to data associated with a given browser's visit to a site and is used for things like tracking the logged in state of a user) so I'll use the term "project" in this answer.
When the user creates a project, store all the information about that project in a database. Include, as part of this information an identifier. You probably want this to be a GUID or similar (there are libraries which will generates these for you) rather than something sequential (like an automatically generated database primary key).
The first page of the React Guide explains routing. Create a route that uses a route parameter for the project ID.
Use that project ID to get the data about the project from your database.
If there isn't any for that ID, return an error.
app.get('/projects/:projectId', async (req, res) => {
const projectData = await getProjectData(req.params.projectId);
if (projectData) {
return res.render('projectView', projectData);
}
res.sendStatus(404);
})
I'am currently playing around with the Couchbase Sync-Gateway and have built a demo app.
What is the intended behavior if a user logs in with the same username on a different device (which has an empty database) or if he deleted the local database?
I'am expecting that all the data from the server should get synced back to the clients.
Is this correct?
My problem is that if i'am deleting the database or login from a different device, nothing will get synced.
Ok i figured it out and it's exactly how i thought it would be.
If i log in from a different device i get all the data synced automatically.
My problem was the missing sync function. I thought it will use a default and route all documents to the public channel automatically.
I'am now using the following simple sync-function:
"sync": `function (doc, oldDoc) {
channel('!');
access('demo#example.com', '*');
}`
This will simply route all documents to the public channel and grant my demo-user access to it.
I think this shouldn't be used in production but it's a good starting point for playing around.
Now everything is working fine.
Edit: I've now found the missing info:
https://docs.couchbase.com/sync-gateway/current/configuration-properties.html#databases-this_db-sync
If you don't supply a sync function, Sync Gateway uses the following default sync function
...
The channels property is an array of strings that contains the names of the channels to which the document belongs. If you do not include a channels property in a document, the document does not appear in any channels.
I created a permission for my system and by this extension others working fine. As example I set permission for Page module then I used below code
if(\Yii::$app->user->can('page_module')){}else{
throw new ForbiddenHttpException("You are not authorized to perform this action.", 403);
}
and it provides me restriction. I used these lines pf code in extension controller, then it restricted but it vulnerable cause if I update extension then code will remove. And i didn't understand how I extend all controller and set permission. If there is another way its unknown to me.
Once you have setup the mdmsoft/yii2-admin extension access is denied to all the routes until you grant it. Rather than hard coding yii::$app->user-can('permission') utilize the RBAC which should be the only reason you installed mdmsoft/yii2-admin.
As Access Setup
Hopefully your using Yii2's advanced template.
Initially, setup the as access in your frontend/config/main.php :
'as access' => [
//This access behavior must be in frontend and backend.
//The 'as access' behavior will interfere with migrations if put in common.
'class' => 'mdm\admin\components\AccessControl',
'allowActions' => [
'site/*', //Allow by default to all.
'debug/*',
//'admin/*', //Leave commented out, unless setting up admin roles initially.
//Allow guests to do:
'ticket/ticket/index',
]
],
Setup RBAC
Go to the admin URL, something like ... app:port/admin
The RBAC hierarchy is like this:
User->Roles->Permissions->Routes
Example
-Joey
--Admin_Role
---- Admin_Permission
-------- app/controller1/*
-------- app/controller2/view
Setup RBAC
First add your routes.
Add your permissions.
Assign routes to your permissions.
Create your roles.
Assign permissions to your roles.
Assign roles to your users.
I made OnBeforeinitialize hook. I need place there code which register new user if user doesn't exists in database.
Which MediaWiki class and functions should be used?
If you need to create users, chances are you are doing something wrong. Users should be created on login/signup (use a PrimaryAuthenticationProvider to tell the system to create them), or when they are authenticated based on request data (use a SessionProvider). There is also User::newSystemUser but it's only meant for scripts.
Even if I don't know, what you really want to do, where the data for the user should came from, and why you want to do this in the BeforeInitialize hook (so, in fact, any useful information to really know and understand what you want to achieve is missing, therefore, you'll get an answer to your concrete question without any guarantee, that it works like you expected in your use case). However, to create a new user, you can use the createNew function of the User class. You should check, if the user is already present in the database.
EDIT:
An usage example:
$user = User::createNew( 'Testuser', [ 'email' => 'email_from#external_source.com' ] );
I've successfully installed and run the Google Drive Quick Start application called DriveCommandLine. I've also adapted it a little to GET file info for one of the files in my Drive account.
What I would like to do now is save the credentials somehow and re-use them without the user having to visit a web page each time to get an authorization code. I have checked out this page with instructions to Retrieve and Use OAuth 2.0 credentials. In order to use the example class (MyClass), I have modified the line in DriveCommandLine where the Credential object is instantiated:
Credential credential = MyClass.getCredentials(code, "");
This results in the following exception being thrown:
java.lang.NullPointerException
at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:187)
at com.google.api.client.json.jackson.JacksonFactory.createJsonParser(JacksonFactory.java:84)
at com.google.api.client.json.JsonFactory.fromInputStream(JsonFactory.java:247)
at com.google.api.client.googleapis.auth.oauth2.GoogleClientSecrets.load(GoogleClientSecrets.java:168)
at googledrive.MyClass.getFlow(MyClass.java:145)
at googledrive.MyClass.exchangeCode(MyClass.java:166)
at googledrive.MyClass.getCredentials(MyClass.java:239)
at googledrive.DriveCommandLine.<init>(DriveCommandLine.java:56)
at googledrive.DriveCommandLine.main(DriveCommandLine.java:115)
I've been looking at these APIs (Google Drive and OAuth) for 2 days now and have made very little progress. I'd really appreciate some help with the above error and the problem of getting persistent credentials in general.
This whole structure seems unnecessarily complicated to me. Anybody care to explain why I can't just create a simple Credential object by passing in my Google username and password?
Thanks,
Brian O Carroll, Dublin, Ireland
* Update *
Ok, I've just gotten around the above error and now I have a new one.
The way I got around the first problem was by modifying MyClass.getFlow(). Instead of creating a GoogleClientServices object from a json file, I have used a different version of GoogleAuthorizationCodeFlow.Builder that allows you to enter the client ID and client secret directly as Strings:
flow = new GoogleAuthorizationCodeFlow.Builder(httpTransport, jsonFactory, "<MY CLIENT ID>", "<MY CLIENT SECRET>", SCOPES).setAccessType("offline").setApprovalPrompt("force").build();
The problem I have now is that I get the following error when I try to use flow (GoogleAuthorizationCodeFlow object) to exchange the authorization code for the Credentials object:
An error occurred: com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
{
"error" : "invalid_scope"
}
googledrive.MyClass$CodeExchangeException
at googledrive.MyClass.exchangeCode(MyClass.java:185)
at googledrive.MyClass.getCredentials(MyClass.java:262)
at googledrive.DriveCommandLine.<init>(DriveCommandLine.java:56)
at googledrive.DriveCommandLine.main(DriveCommandLine.java:115)
Is there some other scope I should be using for this? I am currently using the array of scopes provided with MyClass:
private static final List<String> SCOPES = Arrays.asList(
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile");
Thanks!
I feel your pain. I'm two months in and still getting surprised.
Some of my learnings...
When you request user permissions, specify "offline=true". This will ("sometimes" sic) return a refreshtoken, which is as good as a password with restricted permissions. You can store this and reuse it at any time (until the user revokes it) to fetch an access token.
My feeling is that the Google SDKs are more of a hinderence than a help. One by one, I've stopped using them and now call the REST API directly.
On your last point, you can (just) use the Google clientlogin protocol to access the previous generation of APIs. However this is totally deprecated and will shortly be turned off. OAuth is designed to give fine grained control of authorisation which is intrinsically complex. So although I agree it's complicated, I don't think it's unnecessarily so. We live in a complicated world :-)
Your and mine experiences show that the development community is still in need of a consolidated document and recipes to get this stuff into our rear-view mirrors so we can focus on the task at hand.
Oath2Scopes is imported as follows:
import com.google.api.services.oauth2.Oauth2Scopes;
You need to have the jar file 'google-api-services-oauth2-v2-rev15-1.8.0-beta.jar' in your class path to access that package. It can be downloaded here.
No, I don't know how to get Credentials without having to visit the authorization URL at least once and copy the code. I've modified MyClass to store and retrieve credentials from a database (in my case, it's a simple table that contains userid, accesstoken and refreshtoken). This way I only have to get the authorization code once and once I get the access/refresh tokens, I can reuse them to make a GoogleCredential object. Here's how Imake the GoogleCredential object:
GoogleCredential credential = new GoogleCredential.Builder().setJsonFactory(jsonFactory)
.setTransport(httpTransport).setClientSecrets(clientid, clientsecret).build();
credential.setAccessToken(accessToken);
credential.setRefreshToken(refreshToken);
Just enter your clientid, clientsecret, accessToken and refreshToken above.
I don't really have a whole lot of time to separate and tidy up my entire code to post it up here but if you're still having problems, let me know and I'll see what I can do. Although, you are effectively asking a blind man for directions. My understanding of this whole system is very sketchy!
Cheers,
Brian
Ok, I've finally solved the second problem above and I'm finally getting a working GoogleCredential object with an access token and a refresh token.
I kept trying to solve the scopes problem by modifying the list of scopes in MyClass (the one that manages credentials). In the end I needed to adjust the scopes in my modified version of DriveCommandLine (the one that's originally used to get an authorization code). I added 2 scopes from Oauth2Scopes:
GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
httpTransport, jsonFactory, CLIENT_ID, CLIENT_SECRET,
Arrays.asList(DriveScopes.DRIVE, Oauth2Scopes.USERINFO_EMAIL, Oauth2Scopes.USERINFO_PROFILE))
.setAccessType("offline").setApprovalPrompt("force").build();
Adding the scopes for user information allowed me to get the userid later in MyClass. I can now use the userid to store the credentials in a database for re-use (without having to get the user to go to a URL each time). I also set the access type to "offline" as suggested by pinoyyid.