Get user model from different database - adonis.js

I need to implement JWT authentication for an adonis app, but the user data will be stored on another database and the token generated by an existing API.
From the docs, configuring the database serializer only allows setting the table and field names, which wouldn't work for retrieving user data from a different database.
Is it possible to connect to multiple databases and then specify from which one the user data should be fetched when the JWT is received?

It's possible to change db connection but I don't think it's possible with auth object. I think you need to implement your own JWT validation system.
Here is some information that might help you do so:
Change db connection
Doc: https://adonisjs.com/docs/4.1/database#_multiple_connections
! Only with Database object. Not working with Lucid
await Database.connection('mysql') // Change connection (from your "config/database.js" file)
Get header data from request
Doc: https://adonisjs.com/docs/4.1/request#_headers
var auth = request.header('authorization') // jwt token
Validate JWT
The official documentation does not provide any information on the jwt validation method.
Adonis Auth github repository
Here is the code specific to JWT token : https://github.com/adonisjs/adonis-auth/blob/develop/src/Schemes/Jwt.js
Advanced help
A better answer/help can be provided on :
Official forum : https://forum.adonisjs.com/
Discord : https://discordapp.com/invite/vDcEjq6
or create an issue on GitHub

Related

In django-simple-jwt package, how can I conditionally validate a password against different signing algorithms & secret keys?

My use-case is that I have a legacy backend that has generated tokens using an insecure secret key. I have imported all the user data into a new backend using simple-jwt. The app owner does not want to force existing users to logout and login again to get a new token.
The problem is when an existing user requests a token, their old password cannot be checked because the existing hash because it was created with the secret key from the old backend. So I would like DRF/simple-jwt to first try to validate against the default key/algorithm, and if that fails attempt against the old, insecure secret key/algorithm.
Is this possible? Do I create a new serializer class based on TokenObtainPair and override validate? If so, how exactly would I do this?
Just add the backend to your authentication backend in your Django settings:
AUTHENTICATION_BACKENDS = [
'path.to.first.auth.backend',
'path.to.second.auth.backend',
]
In the docs it says:
Behind the scenes, Django maintains a list of “authentication
backends” that it checks for authentication. When somebody calls
django.contrib.auth.authenticate() – as described in How to log a user
in – Django tries authenticating across all of its authentication
backends. If the first authentication method fails, Django tries the
second one, and so on, until all backends have been attempted.
https://docs.djangoproject.com/en/3.1/topics/auth/customizing/#specifying-authentication-backends

Is saving user's id and login token in local storage a good idea?

I am developing Django + React project and I'm caught with this security approach concerning login and managing views for the logged in user.
I am using django-rest-framework or DRF for my RESTful API. And I'm using django-rest-knox for authenticating user logins since I am implementing Token-based authentication (instead of session-based which uses CSRF).
Question: Is it a good idea to save user's id and token in local storage?
Currently, I have a /auth/login/ API endpoint that handles the backend logic of logging in user and returns JSON response of login details upon successful login (including user id and token).
In my frontend, I use redux and redux-persist so the user's login details are kept even when the site is refreshed. The way redux-persist do it is that it saves the response in local storage. This means that the user id and token can be accessed and changed anytime thru dev tools.
If user will then make a POST request to an API that requires a Token authentication header, the frontend will look into that local storage for the token value to be supplied to the request header.
If user will then make a POST request to an API where the user id is required in the request data, the frontend will also look for the id in the local storage.
Localstorage is not safe, especially for storing tokens and ids. Any user can go to the browser's developer tools, see and also edit its contents, for example.
You could check on Django's sessions, so you can store data securely at server side and keep its contents associated with a specific user. There is a great tutorial at Mozilla that explains sessions in a clearer way than the official documentation.

How can I use an external api to authenticate login instead of Django's inbuilt authentication system?

I am new to Django and working as an intern for a company. I have been tasked with creating an internal software for them to use. The software needs to have a log in system for the employees. However, the company already has an auth api they use for other products. How can I make use of that api to log the users on? I have searched for an answer for a while and I couldn't find one.
The auth api has an endpoint called '/token' which is used to validate the email and password.
I'm guessing I need to remove the 'django.auth' stuff from settings, but I have no more insight into this than that. Any help would greatly be appreciate.
Below is the swaggerhub documentation for an endpoint of the api:
/token:
post:
summary: Generate a new token (aka login)
operationId: createToken
tags:
- authentication
description:
Login using email and password, and retrieve a newly created bearer token to access our APIs.
Alternatively, use a token to create another one.
You need to create an Authentication backend which will check the given to tokens in your existing token database.
See Customizing authentication in Django

Flask JWT Token/ Payload - Return User Json

I understand that Flask JWT gives us the /auth endpoint. Once a user successfully logs in, an access token is assigned and the logged in user can be stored in Flask JWT's current_identity. What I'm wondering is can I also return the User Json back to my client in the same /auth endpoint? Or does it have to be a separate request?
This is for a mobile rest-api, using Flask-Restful. Right now, I have a user log in. The login route (/auth) returns the access token to the client, and then I use the token to get the User Json in a separate request, but I feel like I should be able to condense this into the same request.
Any tips are appreciated :)
IDEA:
Can I create an auth resource via flask-restful and specify exactly what I want it to return? (the token for the server and the user json to the client?)
Flask-JWT has been abandoned for quiet a while now. I would suggest checking out Flask-JWT-Extended instead as an alternative that is still actively maintained (full disclosure, I'm the author of that extension).
In Flask-JWT-Extended you create your own endpoint instead of having the extension create one for you, so you can return whatever data you want there. Here is an example of this in action: http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html

Using Firebase Auth with Django

I want to use firebase authentication for my django webapp. To achieve this, I think would I need to write a custom auth backend - is that right? I don't see any libraries that already do this - django-allauth looks like it comes pretty close as an alternative but I am interested in the phone number verification provided by firebase.
I'm also confused about what happens to the User model and functions like request.user or user.is_authenticated. Right now I use the authenticate and login functions - how does django know that a user is logged in via firebase? Would I still be creating a User model for every user?
Thanks
You can use Firebase Auth with any framework. You don't necessarily need to use custom auth. Typically, you would sign in the user on the client, get the ID token by calling firebase.auth().currentUser.getIdToken() and then pass the ID token to your server, verify it and parse its payload identifying the user ID and its other claims by using the Firebase Admin SDKs and then you can issue a session cookie identifying the user associated with that ID token.
On signout, you would clear that session cookie.
If you also need to persist that user on the backend after setting the session cookie, you can also use the Firebase Admin SDK to lookup a user identified by the user ID or just use the token claims to populate the user without any network call. You can populate that in the user model of associated framework if needed.
For more on session management, you can refer to this django documentation: https://docs.djangoproject.com/en/3.0/topics/http/sessions/