How can i have session management in React application? - reactjs

I am new to React.js and have a need to maintain session of the application...lets say for 3 minutes.
Authentication is done by a third party (akamai) and i need to have the session management. Can someone guide me on this? Any github code/video? TIA

Typically I would not recommend you manage sessions on the front-end as it's easy to hack.
With JWT (JSON Web Tokens) you create a token on your backend and your front-end just requests the latest token. Inside that token will be info on whether that session is still active (you'd control what is returned).
Find a good JWT guide set it up, then from React you make a simple fetch command to get the JWT and then parse it and boot the user as necessary.
There was a similar question to yours asked earlier in the year, please see below:
What is the best way to manage a user's session in React?

Related

Is there a way for a hacker to abuse my refresh token?

Hi guys I'm recently building a web app, which is basically a shopping site. Security is one of my major concerns. I'm gonna use JWTs (access token & refresh token).
I'm gonna implement it this way: the server will return both access token and refresh token to a logged in user. And for the front end, I'm using React, so I'm gonna save the access token(short lived) in memory(like React context). I'm thinking about store the refresh token(long lived) in cookie, so I'm wondering is there a way for a hacker to extract the cookie and then use it on some clients like Postman and send requests to get access token and write some Javascript to get the access token?
Maybe think of keeping both of these tokens in memory? If you want your user to be still logged in when they come back to your application, you can rely on an SSO session that will log them in seamlessly, instead of using a refresh token in the background.
Have a look at these SPA security best practices. Also I would recommend not to use JWTs as access and refresh tokens, so that no one can read the data that is kept in your JWTs. You can use Token Introspection in your APIs or implement a Phantom Token Approach instead.
Have a look also at this document by W3C which gives some guidelines on security settings you can use for your application.
Your question does not sound stupid at all! It is a great question. There is a way for a hacker to extract the cookie yes. Cookie stealing is a known security issue.
However the way to stop this issue is by enabling CORS that blocks any cross origin API manipulation. By doing this you create a whitelist enabling your web app's URL.
I would recommend disabling this on your development server to enable localhost for faster development, and then enabling it on production.
Here is some starting documentation on CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Happy coding!

How should I setup auth in a nodejs app?

I am currently developing a small application with a couple of endpoints in nodejs and an angularjs frontend.
At the moment I have an endpoint for users and another one for events. The thing is, I was thinking of making all the GET methods require auth, so that someone that isn't logged in can't access the system, for that I thought of using PassportJS.
Anyways, my question/s would be the following:
What auth strategy should I use? Basic, OAuth or another? Why would that be? I mean, I understand how their flow works, but I don't know why one or another would be appropiate for my app.
Should the endpoints require auth or should it check cookies/token or something else in the session? I'm completely new to this, so I don't even know if this question makes sense.
In any case, I would appreciate any overall insight in the topic since I don't have any experience in developing applications with auth and security.
Thanks!
You have to provide more details about your authentication needs in order for someone to give you a definitive answer to this broad question.
Based on your question, one can assume you don't have any requirements though, therefore I could suggest JWT (JSON Web Tokens - https://jwt.io/)
There are nodejs libraries that can help you create, decode, verify JWT tokens. (such as jsonwebtoken). You can find more details about it on github.
Once someone is logged in, you could pass this generated token back to the client which could store it in the browser's session.
The token can be used in subsequent requests by appending it in the request header.
On the server side, you can add a custom auth middleware to the routes that require authentication, which will verify the token's validity and call the next middleware for the current route.

Securing a React frontend and with Python API using AWS Cognito

I'm considering using AWS Cognito as a user management system for a single page web app I'm building using React along with a Python REST API backend (Pyramid). I'm struggling to see how all the pieces fit together for my architecture (the docs don't seem to be helping me). There are many great examples of how to implement authentication into the frontend using JS. My issue is how to integrate this authentication into my backend REST API.
In my current hand rolled user management system, the frontend calls the REST API on sign-in and is given a token which is passed to API again for every subsequent request. I'm then able to use ACL's on my API functions, check permissions to access resources, etc. If I were to use Cognito and perform the authentication on the frontend (as many examples do) how will my backend know if the token is valid when it receives it with a request? Surely I wont have to call Coginto from the backend to verify this for every request? Also how can I perform checks for information such as 'is this user in the admin group' if that group is defined within Cognito? Again, calling out to Cognito for every request seems very heavyweight and cumbersome.
I did see one example where a list of valid tokens was exported from Cognito as a JSON file and kept on the backend. This seems horribly static when users could be added and removed regularly.
Is Cognito really suitable for my use case? Some high level guidance and pointers to any relevant examples and docs would be greatly appreciated!
When authenticating with Cognito, the user can have 3 tokens:
Refresh
Access
ID
For python, boto3 can interface now with Cognito. There's also this python lib wrapper: warrant, to make it easier.
Once you have the token, it is possible to pass it to the API (eg: access) and it can be checked on the server side with python-jose, as per AWS docs
To pass the token, an example pyramid /login implementation can keep the information in the session before setting the request response:
request.session['my_token'] = str(a_token)
The default cookie session factory works, though it warns that the token is not sent encrypted.

Use API key between angularJS and Laravel

I'm building an API based application, which uses Laravel as the backend and AngularJS for the front-end.
User Authentication between the front-end and the API is relatively straightforward, using JSON web-tokens (JWT). This tutorial was especially helpful
But much of my front end app is not user-authenticated, it simply needs to be protected by an API key.
I would like to continue using the JWT approach if possible, but i can't find a single package or guide for securing a front-end application with a simple API key (with no initial user login). I don't want to re-invent the wheel, there must be existing solutions for this common problem..
Does anyone have any experience securing and API based AngularJS frount end for use with a custom API? Are there any packages which exist to do this?
NOTE: I have investigated Auth0, which is great, but it is has several problems (the cost, no free support for a custom user DB, no built-in support for a simple API-key)
Thanks
The best way I can think of to handle this is to create a new Laravel user for your angular site.
You will also need a proxy script which contains the site's user credentials. It would reach out to Laravel with
those credentials and return the JWT. Then you just call this proxy script from Angular to get your token. The purpose
of the proxy script being a good way to hide those credentials from users.
This way, you don't need to change anything in your API as it's really just a new user accessing the site. If or when
the user needs to elevate his credentials by signing in as himself, you can also continue to use the proxy script and
have it replace those default site credentials with the user credentials before grabbing the JWT from Laravel.

Sails.js - authentication both with session and token

I'm building app with sails framework and some parts of it requires authentication based on session (like going to some pages of app). But I don't have a lot of cases when session based auth is needed. Most of app is based on single page with angular connecting with server RESTful way so there I need token based auth.
There is no many resources explaining how to do it.
here it's explained how to do REST based auth, and here it's explained for session based auth.
Anyone of you know some example how to 'merge' both of those methods?

Resources