FIDO U2F on a site with changing hostnames/IP addresses - google-chrome

I have a situation, where I want to implement FIDO U2F (using YubiKey) on an administrative interface to a load balancer, so that after login, in order to administer the system - U2F must be used as an extra layer of authentication.
Over the life span of the system - it’s common for the IP address and the hostname used to access it to change (e.g. once it’s https://192.168.0.20/, then it’s https://lb-admin.company.com/, then it’s something else, etc.).
The problem is that a key is being registered against an appId (the URL of the site) and then the appId is encoded in the keyHandle. Is there a way to allow multiple appIds or even remove the appId restriction when you register a key?
In other words - register one YubiKey and then use it from any entry point of the web site or even if the website is accessed using an IP address or a domain that is different from that, with which the key was initially registered?

Yes you can make a registered U2F key work with different hostnames buy using several subdomains... so it can be lb-admin.company.com and lb-login.company.com and whatever.company.com and so on. (Don't use IP)
In order to do so, your AppId reference should point to a online json file that will be processed as a TrustedFacetList.
Real world example... Here is the offcial GitHub AppID implementing this:
https://github.com/u2f/trusted_facets
All details and rules are described here:
FIDO AppID and Facet Specification (FacetID)
https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-appid-and-facets-ps-20141009.html

Related

Dynamic Subdomain Routing With NextJS

How can the Dynamic Sub domain routing feature be implementing in NextJS?
Example: If a user comes with username abc in site xyz then he can access his
site on abc.xyz.com
Also, if the user have abc.com domain then he can point abc.com to abc.xyz.com
So in future if someone opens abc.com then abc.xyz.com is served. And in URL
also the abc.com is shown.
I have investigated few plugin in NPM like vhost and wildcard-subdomains but not sure that is right way to take on this issue.
The vhost requires changes in system hosts in local system and wildcard-subdomain solves the issue purely with routing.
The Local System Setting I have customized Server.js With Code Which Works Temporarily, but does't seems to be a solution which can be used in production :
Server.js
...
if (pathname === "/demo.demo.com") {
app.render(req, res, "/demo.demo.com", query);
}
...
And in _app.js
static async getInitialProps(appArgument) {
...
return {
...
renderFrom: "demo.demo.com"
};
}
Also in my host I have demo.demo.com point to localhost.
The site works for me in demo.demo.com:3000 but how to generalise it in production scenarios
with Database and CNAME Records and add/change CNAME Record automatically with User Action.
On Vercel (the creators of Next.js), we support Wildcard Domains out of the box. Within Next.js, you then only need to read the Domain from the headers of the incoming request, parse it and then respond with the right content.
I hope that was helpful!
I just found this blog post https://demo.vercel.pub/platforms-starter-kit, which was published 6 days ago.
It announces https://platformize.co/, a product that does just that.
Multi-tenant applications serve multiple customers across different subdomains/custom domains with a single unified codebase.
For example, this blog is a multi-tenant application:
Subdomain: demo.vercel.pub
Custom domain: platformize.co (maps to demo.vercel.pub)
Build your own: app.vercel.pub
Another example is Hashnode, a popular blogging platform. Each writer has their own unique .hashnode.dev subdomain for their blog:
eda.hashnode.dev
katycodesstuff.hashnode.dev
pit.hashnode.dev
Users can also map custom domains to their .hashnode.dev subdomain:
catalins.tech → pit.hashnode.dev

confused by strange web address especially by "ai" term in start

While making online shopping,i came across a website for Live customer chat
https://ai.alimebot.daraz.pk/
"ai" in start of this web address means artificial intelligence?? If yes why and how?Infact on that link,i had chatted with a csr that was human being
ai.alimebot.daraz.pk is a host name. If you are the domain owner you can create any host names and sub domain names that you want, provided you use legal characters for names.
For example, they could have created you-are-not-expected-to-understand-this.ai.alimebot.daraz.pk

How do you work with resource ownership with adonis-acl

How do you manage the owner of a resource when using adonis-acl? In my application the typical pattern is that if you own the resource you have full CRUD over it but Admins also have Updated and Delete control over the resource even though they are not the owners.
Ideally I want to manage this control though middleware rather than having to then re-check ACL in my Controllers. Ideally I'm looking for something like
Route
.get('/users')
.middleware(['auth:jwt', 'is:(administrator)' 'can:read_resouce_{SOMEKINDOFID}'])
Currently is seems that the only way I can do this is to setup a permission for every single resource which for my use case seems unnecessary.
Thanks

Problems with WebSession when executing a WebService (GeneXus)

Here is the problem: I have a KB Called APP1 that will execute an WebService of an Identity Provider (centralizes all the logins/sessions for different applications) that will return true if there is a logged user in current WebSession that has been granted to access the Application or false otherwise. When I create an web panel at the same KB as the Identity Provider, it works just fine, I get TRUE when there's a logged user, and FALSE when there's not. But when I call it from APP1 it always returns false, I believe that the problem is because the WebSession won't work properly when called through an WS. Any ideas of how to solve it?
My first advice is to try using GAM Single Sign on (X Evolution 3)
WebServices should be Stateless. I think that using the Database instead of WebSession could do the job.
Nonetheless, in order to call a restful WebService you will have to do something more complex as dealing with CookieContainers as stated in the following link.
Consider this solution:
User tries to access App1
There's no web session (App1 doesn't know who is connecting)
App1 redirects User to an IdentityProvider's special login page
If User is not logged, it provides credentials and logs in
IdentityProvider has a session for the user (it knows who is connecting), then it redirects to the referer, appending to the url an encrypted userid parameter.
App1 decodes the parameter, now it knows who is connecting.
App1 saves the userid to the web session, now the user is authenticated
App1 and IdentityProvider must share an encryption key.
Consider that if the encryption key gets compromised or cracked anyone can impersonate another user.
Depending in how secure you want your system to be, you should study other security issues:
every time the user connects it's encrypted login is the same an it shows in the url, it can be easily solved adding a nonce or salt.
The system could be abused generating multiple requests until it gets a valid encrypted userid. It can be mitigated using a large Salt and/or blocking multiple attempts from the same source.
Note that this isn't a tested protocol and I didn't study the security in depth. I got some inspiration from OpenId, but this is a simplified protocol and I could be missing security holes.

Stream .LRF files via webbserver

i've noticed that on LoLReplays webpage you can now stream live games via their program LoLRecorder. I found this code on their page
href="lrf://spectator spectator.eu.lol.riotgames.com 2nHvYdkaSjjqC7f+mtHQeIhFcUSQLFu5 488978485 EUN1 3.01.0.1"
And i've tried a little to stream from my own (already recorded) game. But all i get is unable to find match. My question is: Does anyone here know how this works?
Thanks!
TL;DR; You can't stream anything, but you can open LoLReplay in spectator mode for a specific match.
Try reinstalling LoLReplay, seemed to fix the issues that I was having.
The title of your post is somewhat misleading as no streaming actually happens - all that the link does is open LoLReplay on your local machine and pass in the details of the match you want to spectate.
This will only work for matches that are happening now, as it connects in a similar way as the LoL client does when you spectate a match.
Calling LoLReplay from the browser
The links seem to be formatted as follows:
lrf://spectator [Observer IP Address][:Observer Port] [Observer Encryption Key] [Game Id] [Platform Id] [Client Version?]
lrf://spectator tells LoLReplay to open up in spectator mode.
Observer IP Address is required and can either be a hostname or an IP address. The hostname is usually in the format spectator.[eu/na/br/etc.].lol.riotgames.com.
Observer Port is optional, I believe it defaults to 8088 which appears to be the default spectator mode port.
Observer Encryption Key... is a required per-match encryption key.
Game Id is a required, per-match integer id.
Platform Id is a more specific version of the region, I guess relating to how Riot have grouped their servers. For example EUW1.
Client Version, the last field appears to be a version number - I can only assume this is either the version of the client that LoLReplay is using OR the version of the client the players in the match are using.
How to find IP address, encryption key etc.
Edit: you can now grab all the info you need using the official Riot API, you just need the SummonerId of the user you're querying for. See current-game API docs for usage.