I have been using passportjs for user authentication on my web application. Now, I am working on Android Client for same project. When I logged in with local strategy, I was successfully logged in on Android. However, after logging in, when I tried to get data from another URI on my server, I got 'Invalid Username or Password'.
When I checked req, there was no req.user object when android asked for data on a particular URI. When accessing the same URI from web application, it contained the user data on req.user object. There was nothing in the case of Android.
I learnt that for Android, we do token-based authentication. Then I came across bearer strategy in passport js. It had some options of redirect URLs. I think I can't handle redirect URLs in Android App.
I have already done a lot of work using passport local strategy. Kindly, let me know what should I do or look into if I want to use the same strategy for my android application too.
I have found the answer to my this question on following thread. Posting it here, it might help someone else.
https://plus.google.com/u/0/+SojharoMangi/posts/N1d5XQawSnU
After a quick search i found this package:
https://www.npmjs.com/package/passport-facebook-token
Related
I have a new project involving the build of an Android app for a website of a hiking club. The website has a login functionality after which the user can browse through available hikes, subscribe to a hike, view the other subscribers, contact the organizer etc.
The original site is based on a MySQL database with a front end of .asp pages. Most data is passed through the pages as GET parameters on the query string.
New to Android development, some things really puzzle me, even after reading several tutorials. I am thinking towards an architecture baes on REST webservices but there a several obstacles to overcome and chooses to be made.
Apart from using REST, some other options are available:
Call the original .asp pages from the app instead of building a dedicated Web service. This leaves me with much less code to write, the original business logic (queries e.a.) as well as the login system can be used (with the "remember me" functionality based on cookies). Downside is that the (X)HTML code in the response needs to be parsed to show in the app GUI, where the majority of the response code is useless ballast code. Also, it does not feel very good from an archtitectorial point of view.
Using a SOAP based webservice. I am totally unfamiliar with SOAP and it appears to be much too heavyweight for a mobile device.
Using REST services. I am leaning towards this option, and have made
some already working services using the SLIM framework. But there
are some problems. First, REST is stateless by definition and does
not seem to support sessions. But the "Remember me" option is
required for the app after login in for the first time, the user
needs not to login again unless he explicitly logs out.
But how can we achieve that?
First option is to designing some completely client-site login/logout system which saves the credentials locally until the user logs out. And sending the credentials with each request to the Web service as POST parameters, or somehow in the HTTP Authorization request header, though I am not familiar with that.
Second option is to deviate a bit from RESt principles and use a session mechanism anyway. After sending the credentials to the web service, a cookie is created and send to the client app. The dartabase cannot be extended so there is no option to save a token in the user table. Maybe the usernae/password can be encrypted and send as a cookie to the app, and decrypted at each subsequent request?
I am a bit lost in this, and look forward to serious suggestions!
I believe that from a long term perspective, it is important that you lean towards REST Interfaces. While JSoup and/or WebView approaches will definitely work, it is important to have the flexibility to redefine/design the mobile application in ways that are completely agnostic of the Server side. REST will help you there and you do not need to play catch up with the Server side, everytime they change the HTML pages, etc.
Going REST will also help in future with writing additional mobile applications and even on different platforms like iOS, if your roadmap contains that.
You can use jsoup to parse the html pages from your Android app and reorganize the information of the web page, this option will gives you ability to quickly develop an App, later you may think on add REST interfaces to your web site and populate data in json.
You can also use WebView to laod your web pages if you don't want to parse html pages.
I suggest you using REST architecture as you said. You can use a rest client library for Android as RESTDroid, take a look to the guide because there is a implementation example with special header needed for the particular web service used (Parse.com in this case).
I just can't get my head straight about this one. I'm currently building a rather large-scale application on Android. I've run in to a couple of problems regarding security and authentication though...
The Scenario:
I have an application that's making calls through HTTP (will implement SSL later) to a server running PHP and MySQL. Of course i want to use the existing user-database, so migration to another DB is not a solution..
I've managed to create the "register users via Android to the server"-functionality.
I've also made a working login, BUT this is where the problems start.
As users in the Android application I'am working on adds, edits, deletes and sync stuff on the server via/to the application, things get rather complicated. A little too complicated for me it seems :)
Problems:
As I get the result from my server-side login and pass it from the
server to Android via JSON, the connection dies and server-side I
'aint logged-on (sessions dies) whereas on the phone I'am. How can I
make the log-on persistent both on the server and in Android without
the need to log-on again? So that subsequent calls from Android to
the server is made with the same user, still authenticated. I.e. I
want sort of a one-time login ('till I logout) like in the
Spotify-app (and many others).
If I've understood things right, implementing SSL correct makes it
possible to send passwords in clear text to the server without the need to hash them first. Is this correct?
I just can't stop thinking about the fact that a MIM-attack would compromise any unique id I send from Android to the server. My first thought was to have the UID on the Android device as a "key" to the server after a successful log-on. But if that key gets in the wrong hands, the user associated with that UID will be compromised. I've looked at the AccountManager on Android but it seems rather over-kill in my case.
If someone could supply examples or at least guidelines, I'd be much grateful!
Thanks in advace!
ADDED SOLUTION DIAGRAM AFTER EDIT
Notice that this diagram shows the first start of the application. Later startups will NOT show the Login / Register form, but use the DUT instead.
// Alexander
Issue some form of a short-lived authentication token to Android apps. They would need to pass it in every request, and you will check it your Web app. Breaking the connection doesn't end the session, if it does, you have bug in your Web app: fix it. In Android, as long as you are using the same HttpClient instance, it will continue to use the same session, nothing special is needed.
Whatever you do, do not put off implementing SSL, do it now.
I'm devepling and android application that should connect to an application server.
What I'm asking about is, should I write the url of this application server statically inside the code or is there a way provided by android to dynamically change the url if needed ??
Taking into consideration that once the app is uploaded on play store, the application server should reserve the address and never change so as not to affect the android app.
I'm just asking about best practices in those situations.
Thanks all :)
Although that would be nice, it might not be worth the hassle. I think it's fine to code in the URLs as they are currently. If for some reason you change the endpoint, try and make it so you send an error saying that the user needs to update the app (and release a new version with the updated URLs). It's also a nice way of indirectly getting your users to update to the latest version so you don't have many to maintain!
Also, if your server moves, it's still not a problem, since you'll still be using the same domain name to point to your server!
(This is assuming that it's still the same domain name, and it's just the endpoint changing, and you don't need to reuse the previous endpoint for something else. Yeah, quite a few assumptions :) )
It is best to consider that your server will be relocated in the future, because you never know. Unless you are willing to upgrade your application anytime it happens, dynamic configuration is the best approach.
You can write the URL of the redirect server in the code, and have that server redirect to different URLs as required. The redirect "server" in its simplest form can be just a text file stored on your company's website, for example.
I have created an AppEngine connected Android application, and I'm trying to modify it to be able to store some user data on the server. I do not know what's the easiest way to do so, because I want it to be as simple as possible. I just want to store some basic data for every user. This data is: Name, Email, and some other Strings. I have created a form in the android side which will allow the user to type all the requested data, but I do not know how to send this information to the GAE server and store it in the datastore. I guess I will have to use a Servlet and some kind of RPC service to call the methods. I'm really lost because it is my first time doing this. I'm not experienced neither in android nor in web apps. I hope you can help me.
Update
Well, maybe I did not explain myself well. The system I've been asked to build consists on a web service that store your personal login credentials for most common sites (facebook, gmail, etc). Using a chrome extension, you ask the server for the credentials on the website you are navigating, and then the server asks to your phone for authorization. It will ask (do you give me permission to send your credentials to "some user"), and you have to ansewer yes or no and then the server will act in consequence. The point is that you have to store your credentials in the server in some way, maybe from the android app (which is what I was trying) or from somewhere else. I will also need authentication.
Pd: I use java for the server side.
Since you already started with AppEngine connected Android application, it makes sense to continue customizing it: App Engine Data Access: Adding Entities and RPC.
Update:
There are of course many ways to exchange data between client and server. The most simple would be a servlet handling GET and POST requests with some query parameters.
Also, most popoular lately is REST:
Android REST client: http://appfulcrum.com/2010/08/20/android-how-to-call-rest-service-using-asynctask/ (try using GSON instead to parse JSON)
Server: use a REST framework. My personal choice is RESTEasy. An example: http://ankiewsky.blogspot.com/2010/08/resteasy-on-googleappengine-corerest.html
Update 2:
The simplest possible way - making/handlin a simple POST request:
Android client - making POST request with parameters: http://www.androidsnippets.com/executing-a-http-post-request-with-httpclient
Server handling POST (or GET) and extracting parameters: http://www.exampledepot.com/egs/javax.servlet/GetReqParam.html
Find and follow thoroughly the Topic Index on this page. Gud luck
I'm trying to get json data from a django view (login required)
into a new android app I'm working on.
I would like to authenticate the user against the django login
and keep the cookie/session for all the django view calls to
get data from the server.
I did some googling but nothing helped me,
even if I guess it should be a quite common task.
Maybe I'm facing the problem from a wrong point of view..
So I'll switch the question to:
how can I do some user authenticated json request/response to a django server?
Any clue?
You have to do as the website expects, and you need to persist the session cookie.
What I did is using XML-RPC to do all the transfers.
Not exactly sure if it's the best way, considering django's xml-rpc support is some kind of a hack.
Here's a very detailed XML-RPC handler for django:
https://code.djangoproject.com/wiki/XML-RPC
then, setup ur client end on android.
When communication is okay. Start writing server end API.
from django.contrib.auth import authenticate
and use this function to do authentication.
Then for sessionId stuff, you need to go to backend db to manually do them: https://docs.djangoproject.com/en/dev/topics/http/sessions/
as u can see, this is why I don't think it's the best way. You can't send httprequest, hence most django build-in functions doesn't work.