I have an existing third-party PHP Web Application (ELGG) that I would like to extend with a Node.js Application. Users are authenticated in the PHP app by checking their provided credentials against a MySQL database.
How can I secure access to the Node.js app without having to rewrite authentication code in Node? Is there some way to allow users to access the Node.js app only if they're logged in to the PHP app?
You could use a DB or some other shared repository to store the users session id, which Node can check to ensure the user is logged in.
I think the best way to approach it would be to have the PHP and the Node applications operate as subdomains of the same root domain, then have the Node application check for the PHP app's auth cookie. This would avoid the extra database call in Irwin's answer.
Once the user logs in to the PHP app, a Cookie with an authentication token is created for phpapp.mydomain.com (*.mydomain.com). The Node application, hosted at nodeapp.mydomain.com, can access the cookie auth token created at phpapp.mydomain.com.
In general, you would make the Node.js app a web service, make it available locally and not publicly, then write PHP code which performs auth, then calls the API provided by Node.js, then constructs a response for the user using that data.
I wrote an Elgg plugin which provide functionnality to access node.js server for websocket. You can check the code here: elgg-nodejs
I just parse the cookie to get session user:
getElggSession = function(socket) {
return socket.handshake.headers.cookie.match(/Elgg=(\S*);?/)[1];
};
Maybe it's not the best method for security...
Related
I am having a PHP based application, that uses MySQL as the DB. I am currently trying to build a real-time messaging system for the users in the application. I have found Firebase to be a very good solution for building this. However, I am not sure if the architecture I am planning is compatible with the architecture am planning. Digging through the documentation didn't really get me the answers.
My Doubts are:
I don't want users to again login to use chat, so I want to
authenticated via the server (i.e from php).
I want, the further chat/messaging to happen from client to Firebase directly as I don't want to have unwanted overhead on my server, especially when a direct connection is not only supported but also efficient.
Can I authenticate via php and get some secret key or something and then use that to connect securely via Js?
I found this link which talks about custom authentication system. But am not sure, if this is what I have to use. And if the solution am planning is scalable and ok.
Firebase Auth persists the session on the client via localStorage/indexedDB and is a headless API that doesn't require a hosted server. So you are not required to authenticate the user via your server.
You can definitely build the messaging app entirely on the client with real-time database without routing traffic to your server. Here is an example of a chat app built with Firebase: https://github.com/firebase/friendlychat
If you already have an existing authentication system, you can use custom auth which requires that you mint a custom token after you authenticate a user with your system, you then send that custom token to the client and then signInWithCustomToken. Here is some code to create a custom token with PHP: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk
If you don't have an existing auth system, you can entirely run the authentication on the client side. Another good library for authentication that is built on top of Firebase is FirebaseUI: https://github.com/firebase/firebaseui-web
I made an API for PHP which provides data to the Windows 10 UWP app to load data from MySQL. I would like to make sure that only the app has access to that data and people can't just check it out from a browser. Do you guys have any idea how to do it? Can I send a unique id from my app and check if it is real on the back end of the PHP server?
If you do not want to authenticate your users. You could pass the Appid in the header.
string appId = CurrentApp.AppId.ToString();
and only allow gets and posts with information included to use your api. It might be better to use an authentication service like an oath provider. This would be a much more secure way to go. Someone could easily spoof your app if you are not using https to communicate with your backend.
I'm running a laravel app that draws some data from facebook using https://graph.facebook.com/search api. In order to do this, I need to be authenticated as a user. Facebook keeps track of this through an access token. The users of the app aren't authenticated, but rather, an admin of the site authenticates with facebook and then the app uses that persons access-token.
I'm not sure how to save the access token in the app. Currently, I have created a table with a single data-entry in it, but if feels kind of like...not really what tables are meant for. To make things more complicated, I run the app on a service called Pagodabox(similar to Heroku). In pagodabox the app can't write to files, all updates are commited via git, so a config file isn't an option either.
You could make use of Heroku's config/environment variables for this.
heroku config:set FB_ACCESS_TOKEN="abc123etcloremipsum-123456"
And then in your PHP code, you would access this from
$url = "https://graph.facebook.com/search?access_token=" . env('FB_ACCESS_TOKEN');
We have a web app written by a third party in ASP.NET, we don't have access to the source code but do have access to the server it runs on. We now have had a new public website developed for us in PHP and need to add a login to the homepage that will allow users to access out ASP>NET app. Any ideas on the best way this can be achieved? Can we write a custom authentication handler to do this?
So authenticating from PHP by making a POST request to an ASP.NET application? And without having code access? AFAIK you'll be restricted to using HTTP methods rather than anything else to broker the request.
The key is making the POST operation and consuming the response from ASP.NET and passing that to the client-side. I have tried this before but this was using an ASP Classic page with the request being generated from a winforms application. The principal is reasonably easy, POST over the username, password and associated details; then write out the authentication cookies. ASP.NET Forms Authentication will generate at least one cookie whose default name is '.ASPXAUTH', you may also find the session cookie ('ASP.NET_SessionId') depending on how the site handles sessions. One nice way of monitoring things is using Fiddler to see what is passed and returned back and forth.
However, the problem I can envisage is your PHP page will be writing out the cookie for the domain hosting your PHP code and if the two sites are not co-existing in the same primary domain then while you might successfully authenticate, the ASP.NET site will not be able to read cookie created from a different domain. You might be able to get away with the php and ASP.NET servers running in the same sub-domain using the 'enableCrossAppRedirects' but this is something I'm not overly familar with.
Recently I programmed a little app for my android device. As the datastorage for the app, Iam using a mysql database, which can be accessed via different php scipts. So all the app does, is it sends POST requests to the php scripts to communicate to the database.
But now I consider about the security aspect. These php scripts can be accessed by every webclient. So every webclient has the possibility to compromise my database, which is of course not the ideal case.
So I was wondering if there is a way to just allow authorized clients to use these php-webservices?
Does php provide any kind of authentification that can be used by an android client?
Cheers
You simply need to require an authentification when invoquing the service:
simple and dirty: http basic auth, like Twitter used to do
a better solution is OAuth, like Twitter now does
There are of course other possibilities (WS-Security, but you don't seem to use SOAP).
for security, you should prefer to interact through an API to your mysql...isn't it?
A few points:
Use a different port (i.e: not 80 or 8080) for the web access
Add authentication with a username and password. Inside your application, you can get these from a secure config file.
On the server side, you can also do some checking on user agents, IP addresses and maybe even device ids.
This is just a start