I am using Friend library. I need to provide a request handler that will return user roles (and possibly some other metadata) for currently logged in user.
I've added a simple request handler:
(GET "/userInfo.do" request
(friend/identity request))
But this basically returns nil.
What is the proper way of fetching user session data?
This worked:
(GET "/userInfo.do" request
(json/write-str (friend/current-authentication)))
Related
Situation: There is a dynamo DB containing a column with the username, one with a unique ID, and the data for each post submitted via an Angular frontend (REST) that triggers the lambda function over AWS API gateway.
Angular frontend --> AWS API Gateway (authenticate) --> Lambda function (write to) --> DynamoDB
Challenge: While only allowing authenticated requests to the API there are not user details (only the token)
'identity': {'cognitoIdentityPoolId': None, 'accountId': None, 'cognitoIdentityId': None, 'caller': None}
according to the AWS documentation, there is no way to obtain the user who has triggered the lambda function. Therefore currently I have to rely on the value provided via Angular (which can be manipulated)
I want to ensure that no evil user alters the username (provided by the frontend) by submitting HTTP posts with postman or another tool and therefore overrides or creates entries on behalf of another user. Or any other idea, how to create records in a table (via lambda) in a way that the primary key goes to a particular user, while preventing other authenticated users to submit requests on his behalf
It turns out, that the amplify SignUp API generates a persistent UUID for a user, and uses it as the immutable username attribute internally. This UUID has the same value as the sub claim in the user identity token.
Therefore I am now using:
let userID = (await Auth.currentUserInfo()).attributes.sub;
in the frontend, as the UUID is not predictable, and require the ID for all reads and writes.
See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes.html
I understand that Flask JWT gives us the /auth endpoint. Once a user successfully logs in, an access token is assigned and the logged in user can be stored in Flask JWT's current_identity. What I'm wondering is can I also return the User Json back to my client in the same /auth endpoint? Or does it have to be a separate request?
This is for a mobile rest-api, using Flask-Restful. Right now, I have a user log in. The login route (/auth) returns the access token to the client, and then I use the token to get the User Json in a separate request, but I feel like I should be able to condense this into the same request.
Any tips are appreciated :)
IDEA:
Can I create an auth resource via flask-restful and specify exactly what I want it to return? (the token for the server and the user json to the client?)
Flask-JWT has been abandoned for quiet a while now. I would suggest checking out Flask-JWT-Extended instead as an alternative that is still actively maintained (full disclosure, I'm the author of that extension).
In Flask-JWT-Extended you create your own endpoint instead of having the extension create one for you, so you can return whatever data you want there. Here is an example of this in action: http://flask-jwt-extended.readthedocs.io/en/latest/basic_usage.html
I have created a REST web-service using springboot. It has users resoruce for below urls
/users => get the users in system.(GET)
/adduser => Post a new user.(POST)
/addFriend/{friendID} => this method is to add the friendID into the current logged-in friend(the user resource has friend list) now my doubt its Its a POST request of a GET request. Currently GET method has solved my problem. But I am not sure about the correct method which is right one logically.
No, Restful API targets resources and does not contain actions in the URI.
Example:
GET /users
=> get user list
GET /users/:userid
=> get info of a user via userid
POST /users
=> create a new user
DELETE /users/:userid
=> delete a user via userid
POST /users/:userid/friends
=>create a friendship and you can send body include ID of another user.(JSON/XML)
GET /users/:userid/friends/:friendid
=> check friend between two user maybe return friendshipID or true/false
It is a POST Request.
According to Wikipedia:
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect.
and
The POST method requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, for example, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database.
I am trying to make a basic auth for an API in Clojure with friend.
Here is the login request :
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'user=myuser%40email.com&pass=super-secret-password' http://localhost:3000/login/
I am using compojure as well, but I'm not sure how to reuse the linked example. Here are the parts that I don't know how to change :
How do I replace the username/password fields with user/pass fields like in my curl request ? I am able to extract them from the raw request, but I don't know how to pass it to Friend (do I need to change the credential-fn?).
Replace the user atom with data from the database. I have a auth [email password] that returns true or false (fetching from the database and using bcrypt). I can also fetch the user role from the database. How do I use the database (specifically I use mongo/monger) instead of the user atom ?
You can provide a totally different credential-fn, or stick to the demo where credential-fn is implemented using cemerick.friend.credentials/bcrypt-credential-fn. Read the doc of bcrypt-credential-fn at https://github.com/cemerick/friend/blob/master/src/cemerick/friend/credentials.clj, it is quite long. It expects a load-credentials-fn that loads a user given a username string, then checks if the password matches. In the demo, the load-credentials-fn is a map in the users atom, but if you have a database you would want to provide a different load-credentials-fn function that would lookup the database, you don't want to load your users table in the map in the atom.
In this Django code I inherited there is a check for request.user.is_authenticated().
How do I set this authenticated attribute for a user, in particular when I am doing a registration through AJAX JSON?
To log a user in, you should django.contrib.auth.login - see the docs here: https://docs.djangoproject.com/en/1.5/topics/auth/default/#auth-web-requests
Note, though, that you should authenticate the user (i.e. check their credentials) before you do so, with django.contrib.auth.authenticate - same docs as above.
This is regardless of whether you're using AJAX or not - this code has to be in a view somewhere that gets called in order for the user to get logged in. Whether that view is called via AJAX or not is irrelevant.
The only user this will return false for is AnonymousUser; all other users have it return true via their superclass. Therefore all you need to do is authenticate the user normally.