I'm making an app which holds sensitive information about the user. This data is held in the store and is used throughout the app, on different views.
The session can expire, with the store being completely cleared if the user tries to navigate to another route after a timeout. However, the store is not cleared until the user navigates to a new route. Let's say the user leaves their machine without logging out. The session times out but the page is still there and the store is yet to be cleared.
Would it be possible for someone else to access information from the store if it hasn't been cleared yet? (e.g. With Chrome dev tools)
The other option I can see is to clear the store on session timeout and somehow keep the current view in place. The idea being that the current view should not break if the session has expired.
Related
I am creating an application with different types of user and each one with its respective login page. The thing is that when the user logs in as 'typeUserA' in my general Redux store, data is saved that is specific to type A users, and in turn, if the user logs in as 'typeUserB' in another tab, this updates the general Redux store with typeUserB information. This way, if I go back to tab 1 and refresh the page, the typeUserA information is replaced by a typeUserB, which is logical since it was updated in the login of typeUserB.
My question regarding this is, is there any way to have multiple isolated stores in relation to the multiple sessions that my application can have active? I mean: in the active session of typeUserA have the typeUserAStore, in the session of typeUserB have the typeUserBStore, so that they are not stepped on. Taking into account that the requirement of the application itself marks that there can be more than one active session in the browser and there could be more than 2 user types (not only A and B).
As i read, there is a way to dynamically add reducers with replaceReducers, but so far I haven't been able to get this to work.
I'm having this problem with my application where it will eventually (unsure of the timeframe, presumably 1 hour) stop updating live with firebase realtime database changes without logging out and back in. The security rules prevent unauthorized users from accessing data. The user will remain logged in and the authentication session persists, so I've been miserably confused as to why it eventually stops updating.
After a painful amount of internet scouring, I've come to find out that the token ID given on login lasts only 1 hour, at which point they are refreshed automatically using the refresh token. (For the record I am logging in with firebase.auth().signInWithEmailAndPassword).
Now, my question - Do I need to resubscribe to my database after the token ID is refreshed? More specifically, do I need to call firebase.database().ref().off() and then subsequently call firebase.database().ref().on() when a token refresh is detected? If not, can you possibly point me in the direction of what might be going wrong?
Edit: It may also be worth noting that if I change my security rules to allow unauthenticated reads, the user is still able to write to the database indefinitely without having to reauthenticate.
Firebase passes the new authentication token to the database automatically. As long as the user remains the same, you don't need to reattach the listeners.
The only moment you might have to reattach is if the user somehow becomes signed out. This may happen when the ID token can't be refreshed, for example because the account has been disabled, or the password has been changed. In that case the existing listeners will be canceled, which will be logged in the client, and the (optional) error callback for on will be invoked. At that point you'll need to reauthenticate and attach new listeners.
I built an app with authentication, and upon navigation to private route, I'm checking in the redux store if user object exist. when reloading the page, obviously the store clears. I thought of persist-state solution with redux-storage , but I see that the data is being stored in the LocalStorage.
is it safe that all data is being shown there? information like user id, name, email, etc..
Thanks
Do not store plaintext values (user name, id, password etc.) in localstorage. Assume the following:
Someone with access to the physical machine: he can either grab the Chrome profile files, containing my localstorage, or he can open Dev Tools in my browser and see stuff he shouldn't.
A malicious browser (or app with a browser control) can gain access, by getting you to browse to the site and copying the values.
Never rely in your app on info you got back from localstorage. Assume someone manipulated it. Crass, imaginary example: if you store my cart total in localstorage, to save time on recalculating it later, assume I changed it to a lower number on the client.
Finally, assume some of your users will use a private tab to browse to your site, at which point you wont be able to utilize localstorage. So why not design to work without it?
I am trying to work on best practise with implementing user authentication via JWTs from my back end server, and although I have it working, I just wanted clarification on something as there are many mixed reviews online.
After my user logs in, a JWT is sent back to my Angular App and then this token is sent back to my server to obtain the user's profile details. Upon success, this JWT is stored in localStorage, a session is created and the user is redirected to the dashboard where they can move around the site freely.
However, when the page is refreshed, I grab the JWT from localStorage and pass it back to the server to obtain the user's profile details again (as I don't store any user data in storage). Although this works, there is a considerable delay whilst the app waits for the user data to be returned and re-creates the session. This is causing my application to show the login screen temporarily (as there is no authenticated user) and causing a very ugly user experience.
My question is what is the best practice around this scenario? Am I going about things the right/wrong way? Should I be storing any user data in storage?
I know there's probably similar questions, however, I can't find anything directly related to logging a user back in with a JWT whilst dealing with the login state.
Wanted to know if there is any way to find when your session is about to expire while using class Ext.data.Session, as the Ext.data.Session does not provide any event. As per the definition of the class it is used to store session information with the server data being loaded.
What I want do in my application is user login session management. That is when a user logs in it starts a session and when the session is about the expire I prompt to the user that your session is about to expire. Any event performed in the application resets the session timeout time.
I have checked this example on Miami code but as per the logic, the session will be tracked from the time of loging in. But wont be updated whenever there is some event in the application. Hence irrespective of user performing any event the user will be promted that his session is about to expire. This not helping me, as I need to reset the timer if the user performs some activity.
Let me know if I am driving the question in the right direction, else will rephrase accordingly.
Well, Ext.data.Session and User Login Session what you need are two entirely different things.
Ext.data.Session manages data stored in various records such a way that it ensures consistency, uniqueness of the data and saving data to the server.
Thus, Ext.data.Session cannot be used for your purpose.