I am developing an app which uses couchDB. When the user opens the app, it will prompt him to enter username and password.
Now my problem is how will I check user authentication in couchDB, I mean how to check if the user is existing user or new user from couch server.
Is there is any secure way for user authentication in CouchDB?
I have to disagree with DHK's answer: the CouchDB _users database is a fine way to do user authentication. You're not managing users in code (which is indeed a bad practice); CouchDB handles all the password salting/hashing/etc. automatically for you. The only thing you need to add is SSL (HTTPS) so that the password isn't sent in the clear. This is a feature, not a bug, since that's what HTTPS was designed for.
I wrote a blog post about CouchDB which talks a lot about authentication, and if you just want to quickly get up and running, this rough draft of a PouchDB plugin shows you how to do simple signup/login/logout operations with CouchDB (look at the code; it's super easy).
The only difference between how that plugin works and how you'll do it on Android is that you can't use cookies. You'll use basic HTTP authentication (https://user:password#mycouch.com:5984), which again is fine as long as you're using SSL. CouchDB has docs on SSL, or you can just put an Nginx proxy in front of it (my preferred solution).
You really should not use the couchDB users as users in your app.
It's also bad practice to store login and database server details in code in your application.
I would setup an API to your couchdb, that shields any passwords from the user but other than that is a pretty transparent API just passing through the views/etc to the actual couchDB instance.
Users would have to authenticate against this API which may in turn use some "api user" data stored in your couchdb to validate that they are genuine, and if not reject the requests.
Related
I'm using couchbase lite in an android app with sync gateway and couchbase in the server and it works great.
Now I want to make a request to node.js from the android app, and i want to use the same session to authorize the user in the node.js app.
Is it possible?
Can I read the session in node and match it with couchbase?
You're asking about authorization. This is tied to authentication, but you should make sure to distinguish between the two. It sounds like what you want is to authenticate the user, then have your node piece authorize access based on this.
Having said that, it depends some on the type of authentication you're using to establish your session.
Basic Authentication (when used directly with Sync Gateway) just passes a username and password that gets checked. I think you get a session cookie after that. It would be very difficult to use that to authenticate to anything else (as in, you'd have to modify Sync Gateway code yourself).
OpenID Connect, in the auth flow, might give a few ways to possibly do this.
One simpler way is to have the node app also authenticate the user. If this flowed through the same browser, the browser will often keep state that would allow the user to bypass re-authenticating. This could be a little clunky, because you'd have to pass things off to a browser (or a webview, but there are security issues with that, too), which the user would likely notice.
Another approach would be to be to do a sort of double redirect. (I think this would work, but I haven't tried it. I can't find documentation on whether an authorization code can be used twice.) In the authorization flow, have the redirect go to the node app. Then have the node app redirect again to Sync Gateway. Both apps can ask for the ID token.
Yet another way would be to have your Android app ask for the ID token directly and pass this in some protected way to your node app. As always, you'd have to protect against replay attacks, and I'm not sure what else, so this could be challenging.
In any case, Sync Gateway is built to request the ID token itself, so any approach will need to ask for the ID token twice.
Here are some references you can look at to investigate this further yourself.
http://connect2id.com/learn/openid-connect - A nice write-up of the OpenID Connect protocol.
https://developers.google.com/identity/protocols/CrossClientAuth - Google Identity Provider documentation that addresses sharing authorization between a mobile app and a web app.
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html - A post describing the distinction between authentication and authorization, and why OpenID Connect (not OAuth) should be used when needing authentication.
Note: You can't use the Couchbase Node.js SDK on the bucket that is used by Sync Gateway otherwise it will mess up with the _sync metadata and documents won't sync properly; but you can query documents, create sessions, etc. using the Sync Gateway REST API.
You can refer to the documentation of the Sync Gateway REST API to get the list of available endpoints. And if you don't want to roll out your own HTTP wrapper, a JS library is available that runs on Node.js and in the browser: http://developer.couchbase.com/documentation/mobile/1.3/develop/guides/sync-gateway/rest-api-client/index.html.
So I have this ASP.NET MVC 4 web app that behaves pretty much like a web service. The client sends a request, the web service returns a JSON object. Now I'm to the point in which I have to authenticate my users from an Android app. What is the proper way to do this on the client side since I no longer have a web browser to store cookies for me to authenticate with the server. SSL is already taken care of.
I have been thinking of several straight forward ways to authenticate but I'm concerned about having some security vulnerability that I might not be aware of.
Is it OK for me to store the user credentials (username and password) in a SQLite database on the Android phone where the app is installed, and then send those credentials along with every request to the server to authenticate? (I'm thinking of hashing the password before storing it in the database, of course).
Is this approach not safe? How do other apps usually authenticate with their services: like eBay, Facebook and such?
Data saved in the private storage are relatively secure (on a non rooted device at least). This include :
sqlite databases (if not made worldreadable)
SharedPreferences
If you want a better integration with the account manager (e.g. to have the account listed in the device's settings), you can write an AccountAuthenticator. See Creating a Custom Account Type or Write your own Android Authenticator. Not sure about eBay and Facebook, but that's what Firefox Sync and Evernote for example do.
You can use OAuth 2 - many tutorials and implementations are readily available.
How do all these mobile apps login users? I did a lot of research and read tutorials but I can't find a definitive answer...
I created an API for my Codeigniter web app using Phil Sturgeon's REST server. Now I need to create a mobile app (for Android and ios) that works with remote data from my web server. (I decided to build my app with Appcelerator.)
My goal is to allow users to log in from my mobile app and make CRUD operations via the REST server API. The API uses HTTP digest access authentication but I'm concerned about security because it sends a username and password over HTTP. Is there a more secure way to authenticated users?
After a user is logged in how will they perform CRUD operations without logging in again?
Security is a matter of trade-offs. You need to answer several question.
How much pain can I put the user through to protect the content?
How valuable is the protected content?
What are the consequences of breached security?
Unless you are storing banking information, confidential/personal information, or the content can be irrevocably altered/deleted, HTTPS with digest authentication are fine.
NOTE: digest does not transmit passwords.
I'm building an Android application which has to sent some information to my mysql database. The mechanism I'm trying to implement is based on JSON, php, Mysql combination. Unfortunately I'm not a veteran when it comes for those subjects. As I understand correctly the php-Mysql connection is always secure - nobody except me can see the source of php script in which I have written username and password to my database. Now the tricky part, my php script is located on Apache server and it isn't protected at all, therefore anybody can trigger it (even from the desktop browser). How can I prevent this situation? and how can I safetly trigger my php script from my Android device?
Thanks
Use SSL. This will encrypt the connection between the device and the server.
Use a client id/key for your device that is verified on the server.
In case you REALLY worry that someone will modify your app to send fake calls using such: verify the client certificate as well (piggy back). (The same way it is done with Facebook Android library and Google mobile libraries).
Use ssl, this will encrypt the connection
Set an authenticate mechanism, on your php page and you android application will send the credentials
Set a random pin code that the server side sends to the application, and he is valid only to the current session, and the application need to run a function that will generate the right answer to this current number and sends it to the server as verification, for example if the server sends me the pin number:120, and the verification function of mine is to +1 the pin number I will send the server 121, but I suggest to use a little bit more complicated algorithm.
The Android device is no different than any other HTTP client, like your browser. You need to follow the same mechanisms you will be using in order to protect a standard Web Page:
Require login to the page. The user needs to supply a valid username and password to gain access. The server returns a session, which is usually stored in a cookie. This question will help you on how to do that on Android.
To keep someone from intercepting the username and password, the log-in should be done over HTTPS
the most intuitive way is to authenticate the user (Username + Password) using an Https Connection, there is better types of secure authentication like OAuth, see this: http://code.google.com/p/oauth-signpost/
I am in the planning phase a new project. I want to be able to control multiple relays from my android powered phone over the internet. I need to use an HTTP based server as a middleman between the phone and the relays. Django is my preferred platform because Python is my strongest skill set. This would not be a "web app" (with the exception of the admin interface for managing the user and their access to the relays). Rather, the server would simply provide an API in the form of HTTPS requests and JSON encoding. Though, I should note that I have never done any web development in my life, so I don't know best practices (yet). The authentication method should meet the following criteria:
Works over HTTPS (self-signed SSL)
Provides multi-factor authentication (in the form of something you have and something you know)
Be reasonably secure (Would be very difficult to fool, guess at. or otherwise bypass)
Is simple in implementation for the server operator and end user on the mobile client
Is lightweight in in terms of both CPU cycles and bandwidth
I plan to use the following scheme to solve this:
An administrator logs into the web interface, creates a user, and sets up his/her permissions (including a username and a password chosen by the user).
The user starts the client, selects add server, and enters the server URL and his/her credentials.
The client attempts to authenticate the the user via HTTP auth
(over SSL). If the authentication was successful, the server will generate an API key in the form of a UUID and sends it to the client. The client will save this key and use it in all API calls over HTTPS. HTTP auth is only used for the initial authentication process prior to reviving a key, as a session scheme would not be nessessary for this application. Right? The client will only work if the phone is configured to automatically lock with a PIN or pattern after a short timeout. The server will only allow one key to be generated per user, unless an administrator resets the key. Hence, simple, mobile, multifactor authentication.
Is this sound from a security standpoint? Also, can anyone point me to an example of how to use the HTTP auth that is built into Django? From a Google search, I can find a lot of snipits witch hack the feature together. But, none of them implement HTTP auth in the wayit was added to Django in 1.1. The official documentation for REMOTE_AUTH can be found here, but I am having difficulty understanding the documentation as I am very new to Django.
I'm not entirely sure of how basic auth would work on Django, but I can take a shot.
The basic auth article on wikipedia covers a pretty standard usecase for logging in. For Android I've personally skipped the first part (401) and just pass my credentials in right away.
With your auth request you will have to just grab the user credentials from the request headers (WWW-Authenticate) and then do all the necessary work for that. With the credentials you can then just use the authentication framework provided in Django to verify that the user then generate their UUID (I guess).
As for basic auth on Android it's a little bit tricky at first and may leave you pulling your hair. I've found this article on Basic HTTP auth for android which helps explain how to do it.
As for the security part of it, I'm not too sure. It's pretty simple, which I'd say is a good thing :)