For my firebase web app (using v9 Javascript SDK), whenever a user updates their email, their token expires and they have to log back in. When a token expires, how can I find the reason for it expiring? (e.g. email change, logging out, suspicious activity, etc.) I want to know this so that when the user is redirected to the login page, I can explain to them the reason such as "you have been logged out because your token expired." As of now I have no way of telling whether the token expired from them logging out, or if it was due to an email change. onAuthStateChanged doesn't seem to provide this information since it only provides the User object. I know it's a simple question but I haven't been able to find this answer anywhere. Thanks for any help you can offer :)
Related
how to keep the user always logged in, in a react application.
I can't refresh the token using an expired token, can I ?
my idea is to make the token expiration to null and refresh it in every request for security
so if user don't use the app for a while, token will never expires, and in every request the token will be refreshed for the security
it's not secure to do this. because now the token will still valid as long as no new requests from the user. tokens that never expire extend the time-frame for attacks such as cross-site request forgery (CSRF), session hijacking and session fixation. also if you want to change this behavior you will need to change it from backend side not react.js side
I might be misreading your question, but at least just on "how to keep user logged in"
You can do this with localStorage, ofcourse there is security concern.
Basic idea: user logins, the user object returns from database, you only need to store the jwt_encoded information that makes a user "looks like is logged in" in the localStorage. By that I mean, you aren't going to return the user's password & email everytime, and on refresh page, log the user in with those credentials... If you are building a todolist app, just store the todolist tasks & username to the localStorage after the user logs in for the first time. And then if the user refreshes the page, just display the information from the localStorage.
It might be a little bit more tricky because UI is dynamic and you have to change your localStorage to change your UI, but on backend calls that update our user object, we can simply return the new user object and set that as the new user in localStorage.
Best to check this article for code, https://blog.bitsrc.io/build-a-login-auth-app-with-the-mern-stack-part-3-react-components-88190f8db718. The author starts talking it about half way through. I only provided theoretical stuff.
Edit: I really was falling asleep. For the "it might be a little bit tricky part" I was being quite dumb. If you saved the user id in the localstorage, you can just make api calls to retrieve the user information with that id whenever you need it, in short, you only need to store user id in localStorage.
I am aware that there are similar questions to mine, but I would like to know what the correct approach would be for my case.
I am trying to build a web-app using Laravel (for the backend) and React (frontend).
A user can login with his user name and password, whereupon he receives a personal access token. On every login, all tokens for that user that haven't expired yet are deleted and a new one is created.
Now I asked myself where to store this token so that it is not persistent and just lasts for the current session.
If a user logs out, the token is deleted. But what if a user does not manually log out and just closes the browser? The token would still be valid until its expire date, so that would be a problem.
Laravel and React are both on the same server and React is added to Laravel if that changes anything.
I'm just experimenting, but nevertheless I'd like to know how one would do this and hope someone could explain to me how it's done right.
Want to logout from all other session(s) when user logs in other browser.
I am able to delete the PersistedGrants but cookies are still present.
When user refreshes the page a new access_token is generated due to refresh_token.
So basically we want only one concurrent session of user.
Any help would be appreciated.
By default IdSrv persists user session in a cookie. You can change that by implementing IUserSession and registering in DI. Doing so you get access to logged in clients within one session. Having that knowledge, you can register your custom middleware with the check: when authenticated, i.e. has auth cookie, and no other session for the same user id then ok, else handle the collision: the one who logged in earlier logs out. Just an idea, but should work. See my customization of the DefaultUserSession - backing it to Redis, used for another purpose, but should be enough to demonstrate the approach.
I had an issue regarding the logout . Once i am done with my logout and it's not popping me agin to enter the user name and password , why is it so ?
ttps://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2-vanilla
https://github.com/sharmaritesh/spring-angularjs-oauth2-sample
is it not the expected behaviour ? If so please suggest me what to do when i want to do the complete logout that means we have to delete refresh tokens as well i guess. the reason of not asking the username and password in my perspective , It's refresh token is valid and once i click teh login button it directly redirects me to the greeting page with generating the new access token with the help of refresh token.
But i would like to do the complete log out i.e, once the use clicks the logout and user should be able to enter his credentials to get the new refresh token and access token irrespective of the old refresh token expiration.
I really appreciate your help..!!!!
Thanks
Prince
I would suggest posting all of the relevant HTTP traffic flow between client (browser) and server, both the redirects and "back end" traffic.
So, basically take the approach of knowing little about the actual implementation of the client and server, and just focus on the OAuth2 authorization code flow, its a protocol after all. Without this we'll be stabbing in the dark.
In terms of an answer, as a guess the client application may be passing a cookie to the authorization server and your just not seeing it. This is exactly what happened to me with Spring Boot and WSO2 IS 5.1.0
I'm writing an app that uses Google API to authenticate with G+ account in our app.
Currently the customer wants on logging out not only revoke access token for our application but also log out from Google Account used to authenticate.
The solution I've come with was:
/**
* Signs the user out.
*/
HeaderCtrl.prototype.signOut = function() {
// this part revokes token
$http.jsonp('https://accounts.google.com/o/oauth2/revoke?token=' +
accessToken, {
params: {
callback: 'JSON_CALLBACK',
format: 'json'
}
}).success( /* Do stuff on success */);
// this part logs out from google account
$http.jsonp('https://accounts.google.com/logout');
};
The second call works but logs an error on response processing:
Refused to execute script from 'https://accounts.google.com/logout' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
What ways to log out from Google account using AngularJS would you use?
you should not log out your users from Google, they certainly don't want it anyway. Thus, https://accounts.google.com/logout should never be reached.
What you actually want is to make them log out from your website. Revoking the token should be enough for Google authentication's side (your website won't assume the client is logged from to his old token)
Once signOut method is called, just consider he isn't logged any more and end the session in your website.
I think you are tring to do many things that are not related to a "normal logout" experience.
Maybe you should talk to your "customer" to clarify the user stories he/she wants.
A normal logout is one line of js (source) :
gapi.auth.signOut();
If I'm not wrong, what you are doing first in your code (ie revoking the access token), is something that provides an option to remove the association between the account on your app and the google account used for sign-in. As indicated on the link, you must provide this option to the user to follow the g+ developer policies but it's not the same as signing out. Maybe you should try, as a user, these two feature on a site providing a g+ sign-in, such as stack overflow. (Be sure to know your password before revoking the g+ association.)
And for the log out of Google, your app should not do it, and Google should not provide you a way to do it. (And I'd rather think that it's impossible.)
However you can kindly remind your user, after log out, that he/she may need to log out from Google too. Try to log out from stack overflow and look at what happens.