I am new to Django and I am working on the user authentication part. I used the Django provided User model, and use auth() and login() method when the user login.
I have a question about the password security and hope have some discussion here.
When the auth() function hashed the raw password and then compares the username and the hashed password. That means the front end needs to send the password in raw data. (Otherwise, it will be hashed twice).
Is it not safe to send the password in raw data? If I want to hash the password in the frontend then send the request to Django, what can I do in this case?
It's OK if you pass password in post request
But for more security, you can encrypt data ...
Related
If i have a system where a user sends his credentials (username + password for example) to the backend using a POST request. Then the backend verify the info and needs to send information about the user to the application + JWT tokens for authorization.
Should i return everything in the response to the login request in a JSON? (6-7 objects of information)
Or i just send the JWT and after receiving them i send separate requests to get each object containing the needed information ?
Also what is the best way to send a password during login ? Should i encrypt it before sending it to the backend during a login if it's in a POST request body?
I'm trying to use Firebase authentication to sign up and login users for my react website, but after that, how do I ensure that actions made from my nodejs api (for instance creating/modifying articles) are from that logged-in user. Here's a situation:
User logs in on my website, the firebase.auth().signInWithEmailAndPassword() method is called directly by the client within react (I can't use that method on my api since it asks for the raw password and I don't want to be sending that across the web, though I could save a salt on my db and hash the password, etc. but the reason I'm using firebase auth is to avoid having to be hashing passwords and maintaining salts on my db)
User is confirmed logged in
User starts to create an article
They submit the created article, react verifies they are logged in with firebase.auth().onAuthStateChanged()
Article data is sent to my api, for instance POST somehost.com/myapi/article/create/ with the article data in the body
My api receives the request and saves the article to my database
The problem I see here is that I don't see a way to send credentials to somehost.com/myapi/article/create/ in order to verify the user before entering the article into my db, since all signup/login is done within react and firebase's auth functions don't return anything I can send to my api to verify, so essentially anyone can call that endpoint and flood my database with junk.
I would like to be able to login the user within react, but then verify the user is legit within my api for all calls the user makes to it before it sends anything to the db. How can I do this?
If your Firebase client app communicates with a custom backend server, you might need to identify the currently signed-in user on that server. To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.
See https://firebase.google.com/docs/auth/admin/verify-id-tokens
I am using Session Authentication for my Django REST API. What I want is to be able to access self.request.user every time an API call is received at any of my endpoints, so I can process user generated content.
From the docs, it seems session authentication stores only session id's in cookies, but does not send any data beyond that. So, even after I log in, the subsequent requests I send are user-anonymous.
One solution is to send the username and password every time a call is made from the origin, which I think is probably not good practice.
How can I go about persisting user in a session?
You can use JWT Authentication and send the token with every request, this way you can access request.user in your code.
Site is protected with username and password. How can i do get some data from that page if it is protected. Any suggestion? When i access it i need to enter username and password to get content. I owe that site and i know username and password but it need to be protected because its in develop mode.
Send an authentication request simulating the login form (using $http) to gain an authenticated session, then request the data as normal.
Try adding usrename and password in request url like this
http://username:password#kodex.dev.lapps.ws/
or
you can use basic Authorization header in your http request
I'm trying to to implement the Resource Owner Password flow with a NodeJS API to authenticate my frontend Angular app.
I'm having problems how to implement how the user sends his credentials (username and password) to the API. The flow I know I'm used to send this body variables:
Request body:
grant_type: password
username: myusername
password: mypassword
client_id: frontendApp
Obs: I don't send the client_secret because It is not important, because It's an Angular app, so eveyone can see, but I created a seed client that represent my frontend client. I also created a flag that only this client (frontendApp) can authenticate without client_secret.
When I come to NodeJS I've been reading some tutorials about how to implement this flow in my API, and I notice that my knowledge of how the authentication flow must ocurs maybe is not a pattern.
I pick these tools to start building the security of the API: passport.js and oauth2orize.
According to the tutorials I do need to protect the token endpoint. I didn't catch the idea of why, because the user will access It to just authenticate, with the grant_type: password or grant_type: refresh_token, so he'll have to send me credentials like username and password in the first case or the refresh token in the second, so why do I need to use passport.js with basic and client password strategy?
Talking about Basic and Client Password strategy... Again according to the tutorials I should implement both, because the Basic strategy authenticates by header and the Client Passport strategy by body content. Here I see some ugly things.
Like I mentioned, I don't see reasons to protect the token endpoint, maybe I'm wrong, maybe exists some security problem that I didn't notice.
Another thing is because the Basic strategy and Client Password have different contexts, the first receive username and password and the second client_id and client_secret. When I want to get access and refresh token for the first time I must send all these things:
Request body:
grant_type: password
username: myusername
password: mypassword
client_id: frontendApp
client_secret: clientsecret
(or with the authentication in the header)
I wouldn't like to send the client_secret, at really nor client_id, but the client password strategy library makes me, and It is something very useless, because everyone can look my frontend code where It is stored, because of It I think It is not necessary to protect the token endpoint.
I'd like to send only the username and password, if the user is sending only username and password I already know that It is an frontend client trying to authenticate. I found an explanation of how Resourse Owner Password should work, and It shows an example of request:
https://oauth.example.com/token?grant_type=password&username=USERNAME&password=PASSWORD&client_id=CLIENT_ID
It shows something like my older ASP.NET app, using username, password and client_id.
Does someone know if I should care about It or I can build It my-like mode, because the NodeJS implementations is not following the way I know.