Presentation is loading. Please wait.

Presentation is loading. Please wait.

MEAN login management CS252.

Published by인환 예 Modified over 5 years ago

Similar presentations

Presentation on theme: "MEAN login management CS252."— Presentation transcript:

1 MEAN login management CS252

2 Last week We looked at how to secure a LAMP application with a password-based scheme Hopefully, you have looked at the PHP code and made the changes we agreed upon Assignment 4 is due November 8th midnight Have to submit link to working login management system incorporating these features

3 Basic password scheme Hash function h : strings  strings
Given h(password), hard to find password No known algorithm better than trial and error User password stored as h(password) When user enters password System computes h(password) Compares with entry in password file No passwords stored on disk

4 Password-based authentication for nodeJS applications
Structure of a typical express-node app Bin Contains binary file that runs the app Models Contains data models as separate js files Routes Contains routing instructions for different landing pages Each as a separate js file Views Different html/template files Public Contains client-side css and javascript Node_modules Contains modules from npm Package.json Lists modules from npm actually required by the application App.js The main application file Includes dependencies, and sets up important middleware

5 Adding password authentication to a vanilla node app
Link to tutorial on course website Comes with an associated github repo Major conceptual steps Storing user registration details in database Comparing user inputs to database entries Routing users based on authentication success/failure

6 User registration Add a users model in the models directory Fields
, needs to be unique and mandatory Username, likewise Password Password confirmation Export the users model so your login router can use it

7 Routing for user registration
In your routing file, add a POST route for sending input that looks like users to the server if (req.body. && req.body.username && req.body.password && req.body.passwordConf) { var userData = { req.body. , username: req.body.username, password: req.body.password, passwordConf: req.body.passwordConf, } //use schema.create to insert data into the db User.create(userData, function (err, user) { if (err) { return next(err) } else { return res.redirect('/profile'); } }); } What’s wrong with this?

8 Have to hash password before storage
Can use npm module bcrypt to do this Edit the users model file to add a function to hash passwords before storing UserSchema.pre('save', function (next) { var user = this; bcrypt.hash(user.password, 10, function (err, hash) { if (err) { return next(err); } user.password = hash; next(); }) });

9 Logging people in Two steps needed
Setting up a login route Setting up sessions for authenticated users Login route is simple to set up in routing file router.get('/profile', function (req, res, next) { User.findById(req.session.userId) .exec(function (error, user) { if (error) { return next(error); } else { if (user === null) { var err = new Error(‘Fail'); err.status = 400; return next(err); return res.send('<p>Logged in <p>') } });

10 Session management Express can help – use the prebuilt session package
Add to main app.js file Store the user ID from mongo in the req.session.userId variable in the POST route to associate all future sessions for this user with this ID

11 Login authentication Have to define authentication protocol as part of data model, in users model file UserSchema.statics.authenticate = function ( , password, callback) { User.findOne({ }) .exec(function (err, user) { if (err) { return callback(err) } else if (!user) { var err = new Error('User not found.'); err.status = 401; return callback(err); } bcrypt.compare(password, user.password, function (err, result) { if (result === true) { return callback(null, user); } else { return callback(); } }) }); }

12 Login authentication Have to define authentication protocol as part of data model, in users model file (middleware that returns a function that listens for requests) UserSchema.statics.authenticate = function ( , password, callback) { User.findOne({ }) .exec(function (err, user) { if (err) { return callback(err) } else if (!user) { var err = new Error('User not found.'); err.status = 401; return callback(err); } bcrypt.compare(password, user.password, function (err, result) { if (result === true) { return callback(null, user); } else { return callback(); } }) }); }

13 Protecting pages Define a function that checks for the presence of valid session and userID in the incoming request in your routing file For protecting pages, pass this function as a parameter in the GET request in the router

14 Missing from this demo Password reset Missing rate limits
How would you implement it? Remember the same precautions we discussed last week for security hold here too Missing rate limits Protection against XSS attacks Is this system vulnerable?

15 Third-party authentication
Designing a solid and secure authentication system is hard All it takes is one forgetful error, and your entire database is compromised Easier to profit from others’ hard work Third-party authentication systems Open authorization protocols

16 OpenAuth2.0 Use third party authorization servers to authenticate users who want to use your app

17 Service architecture You register your app with third party authorization service Client accesses third party authorization service with third party credentials Third party grants an access token that your app recognizes No new login credentials needed

18 Next week in lab We will design a login management system using Passport.js Conceptually the same as what we’ve seen today, but with more robust application support Link to tutorial and corresponding github repo on course website We will reshape the login management system to log people in using FB/Twitter Might be the best model for your project apps

19 Logistics Wednesday batch will go to lab this Saturday (Nov 3rd) in lieu of Nov 7th Projects should be substantively finished by Nov 10th Last week of course We will meet in RM101 on Monday and Wednesday from Attendance will be taken, as for all lab sessions Monday batch will demo their apps on Monday Wednesday batch will demo their apps on Wednesday No class on 15th November End sem in DOAA end sem slot (Nov 28th, )

20 App demo logistics You will make a 5-7 minute video of your app
Point out all salient features and views Show it in action Point out pieces of code that were hard to execute Need not have accompanying commentary You will have the option to talk over the visuals during the demo Host the video on YouTube/other web sources and send me the link before the presentation There will be external examiners, who will be free to ask questions about any aspect of the app to any member of the team

21 End sem pointers I will try to make it non-trivial
If you have worked on all the assignments yourself, you will have no trouble If you have looked at others’ code, or had stuff explained to you, you will have trouble Will provide separation for grading Closed book, closed notes Likely 90 minute exam

Download ppt "MEAN login management CS252."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Presenter: James Huang Date: Sept. 29, 2014 1.  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.

Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.

Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
Getting Started with Pearson Mastering products This presentation is designed to help you get started with any of the following Pearson online technologies:

Getting Started with Pearson Mastering products This presentation is designed to help you get started with any of the following Pearson online technologies:
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D

15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
Introduction: This VCSS training session has been developed to provide : I.A quick overview of VCSS II.A walk through of the main VCSS features III.Solutions.

Introduction: This VCSS training session has been developed to provide : I.A quick overview of VCSS II.A walk through of the main VCSS features III.Solutions.
Additional Topics. Tutorial #9 Review – Forms Forms Legend and fieldset Fields Text Email Password Radio buttons, check box, text area, select lists Buttons.

Additional Topics. Tutorial #9 Review – Forms Forms Legend and fieldset Fields Text Password Radio buttons, check box, text area, select lists Buttons.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Create an online booking system (login/registration)

Create an online booking system (login/registration)
Nina Drozd Supervisor: Fearghal Morgan Co-Supervisor: Martin Glavin Project Progress Presentation.

Nina Drozd Supervisor: Fearghal Morgan Co-Supervisor: Martin Glavin Project Progress Presentation.
Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google