Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Danil2014-12-23 09:39:27
MySQL
Danil, 2014-12-23 09:39:27

How to properly organize authorization in node.js?

At the moment I did this: I send a GET request for a login / password.

var data = {
        'username': username,
        'password': password
        };

        $.ajax({
          type: "GET",
          url: 'login',
          data: data,
          success: console.log('response sucsess')
    });

On the server I accept and check with the database:
router.get('/', function(req, res) {

    var connection = mysql.createConnection({
        host     : 'localhost',
        user     : 'user',
        password : 'password',
        database : 'database'
    });

    connection.connect();

    var username = req.query.username,
    password = req.query.password
    connection.query('SELECT password FROM `users` WHERE login = "' + username +'"',            function(err, rows, fields) {
        if (err) throw err;
        else if (rows.length > 0 && password == rows[0].password) {
            console.log('Hello');
        } else {
            console.log('Go away!');
        }
    });

    connection.end();
    res.end();
});

But the campaign is all very wrong and not safe. How to make secure authorization with sessions? What is their general principle of work? Is it possible to have a ready-made example of the form: sent data -> received a session and then you check something likeif (registered){ ... }

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
E
Emil Revencu, 2015-01-05
@Veneomin

1. First, make a simple request (without authorization) to receive an arbitrary code (we generate a random key on the server and return it)
2. Encode the received key (code) on the client via SHA256 (code+username+password)
3. Make an authorization request by sending an encrypted code
4. On the Server, we check the combination SHA256 (key + USER field + PASSWORD field) in the database. If found - Voila! and kill the key
Thus, a new code for authorization will always be sent and sniffers will not catch your data.

Report
R
Rikcon, 2014-12-23
@Rikcon

passportjs.org

Report
I
icetomcat, 2014-12-23
@kostia256

It should be understood that the principle of authorization is the same everywhere.
1. Identification (checking the existence of the user by login)
2. Authentication (checking the password)
3. Authorization (checking access rights)
Save enough information about the user in the session to bypass steps 1 and 2, and immediately go to step 3. Accordingly, when the session dies you need to repeat all authorization steps.

Report
I
Ivan, 2014-12-23
@LiguidCool

And yes, they use https so that the password does not leak to the left.

Report
H
haiku, 2014-12-23
@haiku

1) Cookie + session
2) OAuth is possible
And are you sure that the SQL request written in the code by hand is protected from SQL-injection attacks?
var username = req.query.username - somehow not very good, anything can come from the face. username='; DROP TABLE users' some thread.

Similar questions
A
Anton2021-03-27 12:39:53
Getting the selected radio item and passing it to the email body, how to display the selected item? 2Reply
G
GRO242019-10-20 17:02:09
Writing a loop to a variable? 2Reply
R
Roma Kotolup2021-04-28 13:25:11
How to remove shortcut in windows? 4Reply
Q
Questions00012021-05-07 16:07:05
How to bypass intrusive Youtube ads? ad blockers don't help. You need to switch to a paid plan to stop ads. What can be done? 4Reply
9
952042016-08-25 11:30:53
How to get a unique RFID phone? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question