On the Accept.js documentation, either self-hosted or Accept.js hosted form. The ApiLogInKey and ClientPublicKey are required on frontend, either pass into Accept.dispatch function/API call or on the form button as custom attributes. Is it safe to have them on the frontend or is there a way to hide them or move them to the backend?
Related
I'm trying to use the Hosted UI feature with AWS Cognito's User Pool to create a login / signup form for a web application.
I can select certain "standard attributes" for user registration, and those show up on the Hosted UI. For example these attributes...
Show up like this on the Hosted UI...
But if I were to add some custom attributes...
Nothing changes, and the Signup fields and form look exactly like they do in the middle picture. They are basically hidden attributes to that UI.
Is there any way to make those custom fields populate so that a user can fill them in?
Furthermore... These custom attributes don't even show up in the user's information from my User Pool 'Users and groups' area. As you can see, the only attributes showing up are those 'standard attributes'. The custom ones are nowhere to be found.
AWS says that at this moment, unfortunately, it is not possible to show the custom attributes on the Cognito hosted UI sign-up page. Also, the custom attributes cannot be marked as “required”.
As for the second Question. Custom attributes will not be reflected in the Users/Groups area until they are added to the user, which, again, cannot be done through the Hosted UI.
I'm building an eCommerce website for a personal project. It uses React for the front-end and a REST API running on django for the back-end. I want the user to be able to add items to a shopping cart and place an order without the need for an account.
For guest users, using a session/cookie to store info is great, but when it comes to logged in users, I would want to use the database to store items in a cart. That would require creating a user and giving them an auth token so they can perform necessary actions.
So should I use session/cookie authentication or is there a better way to achieve what I want using JWT?
Both approach can work very well. However, I am currently working on something similar and I would personally recommend the simpler option which is the classic session approach. JWT tokens can be harder to maintain and sometimes insecure if not done correctly. Also, JWT tokens will not persists between logins.
In both ways, I don't see why one would be better to create and maintain a cart except maybe that a session system can actually store the complete cart in the session itself. You can then implement sessions controllers at the API level.
ex: GET "https://{host}/api/cart" returns the items in the session's cart.
# Django session
request.session['cart_id'] = cartId
# JWT Tokens
jwt.encode({‘cart_id’: cartId} ...
little note.. It can be harder to setup the sessions if you are working on localhost for react and a remote server for your API. (The cookies are generally set per domain).
I am using JWT, and I think if you are using a database, you can create a generated JWTby user then store it in the database, you can control the availability of your jwt, in parameters, and I find the best way to secure your APIs, is to add the JWT token to the headers.
I would use Cognito authentication and integrate it with react and the backend api. It will help to manage the users outside the application.
If you’ll be hosting your application in AWS, Check out AWS Cognito, it’s an identity and a user pool service. Their free tier is quiet generous. That, together with AWS Amplify which is perfect for React, will give you out-of-the-box auth and user management.
What is the right way to proceed the logout action of the User when using JWT, Rails API and a JS front-end framework, for example Ember JS ? What I'm actually doing is:
use Rails 5.2 as API
use Ember JS 3.3 as front-end
use Ember Simple Auth as OAuth add-on
example app, its master branch, works as needed
example app, its without login branch fails to logout the User
check the presence and pass in a token in every request between Rails API and Ember JS apps.
The questions I have are:
Should I keep a token value in the backend model (User, for example) ?
I need it to make another request in the background on the backend side.
Should I set the token value to nil when the User logs out in the backend ?
What am I doing wrong with ESA as for logout action ?
Actually the token value is kept in a cookie on the client side (see https://github.com/simplabs/ember-simple-auth for more details). I followed their guides and the dummy app they provide.
I also had a discussion on Ember JS Forum and tried to follow some tips and advises, still no success.
Thank you.
This answer applies to Ember 1.13 through at least 3.x.
Authentication comes in so many flavors that I think the right way to do it is whatever is an easy-to-understand fit with the back end.
Since your JWT is in a cookie, let's think of that cookie as the source of truth. Rather than doing something complicated to parse the cookie in a model hook, you could define a Service that has functions to grab the cookie, parse it, and either save the results to values on the service or return the values you need.
This gets you a few benefits. You can get the values from anywhere in your app, including adapters, and all the logic for auth lives in once place. On the other hand, you would have to handle async behavior yourself (i.e. if a route depends on having login info, you will have to manage the order of operations between authentication and route transitions).
Ember Simple Auth is quite popular because of this issue. Although there aren't out of the box features for JWTs in cookies, if you have an app with different states based on logged-in behavior, it might be a good investment to learn it.
The user model is kind of a middle ground between a hand-rolled service and Ember Simple Auth, since you can get the user model and rely on it throughout your app, plus get a little help with async. Just be careful not to scatter your auth code across your whole app.
Lastly, to trigger logout, I would create a function that destroys the cookie by setting the max age/expiration like this. If you are handling auth on a service, this means you could use Router Service and then transitionTo a login page. If you are using Ember Simple Auth, that functionality can go in the invalidate hook of your custom authenticator. Example:
invalidate() {
this._super()
document.cookie = "some_token_name=; expires=Thu, 18 Dec 2013 12:00:00 UTC; path=/"
return Promise.resolve();
}
Lastly, for passing the token to authenticate requests, if you are using Ember Data, this can be done easily in the adapter's headers method.
I am implementing role based access control in a Rails 4 app that uses Emberjs. I am planning to use Pundit in the rails code. Which plugins are available for Emberjs?. I am checking ember-simple-auth but can't understand https://github.com/simplabs/ember-simple-auth#authorizers.
--update
I am using devise in rails for authentication and pundit for authorization. Authentication is working in Emberjs. My (rails+emberjs) app depends upon another rails app for data through api. Also, in my current app(rails+emberjs), the current_user(email and role_id) is stored only in session. There is no rails/emberjs model for user. I am using the env variables inside emberjs as
in app/assets/javascripts/app/env.js.coffee.erb
App.ENV =
SOME_APP_URL: "<%= ENV['SOME_APP_URL'] %>"
can i use the above technique to load current_user from session?
Simple-auth is to authenticate and authorize the api for a particular user. It does not deal with user authorizations. You have to deal with that yourself.
Once you dealt with authentication, I suggest you send the pundit authorizations to the client thru the user profile. I use a role based approach, but you can do it without that level.
So each role has pundit authorizations saved in db (I use PG arrays for this) in the form of ":" ("note:update", "note:create" for example). Roles are assigned to users and when the user model is serialized, so are the authorizations.
On the client side (and the backend, do not forget), you need to check those authorizations for each actions and routes.
I am familiar with using django's built-in auth to create a new user that has an email and password, but I would like to create a new user that will only use Twitter to login. From what I can tell, django-social-auth associates the twitter account with an existing Django User object. In my case, there will not be an existing Django User object, as Twitter will be the required method for logging into the site. Should I abandon django's built in auth? Or is there a good way to extend it to do what I want? Thank you for any suggestions.
django-social-auth extends django built-in auth. django-social-auth will create it self a new user whem your Twitter user will be successfully authenticate. You can read about django-social-auth features:
Basic user data population and signaling, to allows custom fields values from providers response.
Multiple social accounts association to single users
Custom User model override if needed (auth.User by default)
Extensible pipeline to handle authentication/association mechanism