cookie set by rails app does not work on javascript apps - ruby-on-rails

Trying to figure out why a cookie that was created by postman does not work in rails request.
Here is the structure:
Rest API - web.abc.com/api
website - web.abc.com (Ruby on rails. no JS framework)
Webapp - web.abc.com/admin (ReactJS app)
So now, authentication happens on the (Rails app - website), API then returns a cookie. The cookie is then set in the browser and user is logged in. We then use rails (rest-client) gem and send the cookie back to the API on requests and all works well.
Problem is, the same cookie (session) does not work on the react app. the cookie is sent to the API but does not work. However, if we authenticate using postman, then copy the cookie value and paste it into the browser (cookie value), the react app works BUT not on the website.
So in a nutshell. If the cookie is set from Rails app, it works on the website but not on the react app. If we authorize with postman and past the cookie value in the browser (replacing the cookie value), it does not work on the website, but works on the react app.
what am i missing?

Related

Re-athenticated with the stolen cookies in Laravel Sanctum

I setup a SPA authentication with Laravel Sanctum, it works fine. I login successful with an user. In Chrome Devtools, Application > Storage > Cookies, I copy and save the values of laravel_session and XSRF-TOKEN to a text file, then logout and delete all cookies and refresh browser, here I logged out.
Then I re-open Devtools, restore the values of laravel_session and XSRF-TOKEN manually, refresh browser, now my status is logged in.
Is this normal? Is this the way that cookie based session authentication work?
Thank you.
I was running into the same issue. My problem was that I called Auth::logout() instead of Auth::guard('web')->logout(); inside my AuthController in Laravel.
By using Auth::guard('web')->logout(); the cookies seem to get revoked by the server and can't be used for authentication any more.
By the way, I found the answer here: https://stackoverflow.com/a/63449251/10095327

What's the use of JWT in Rails + React app for Auth

I don't understand the use of JWT token..
Can anyone explain it to me ?
Because currently i'm working on an app (rails + react), and I want to use devise + jwt for authentification and React for frontend.
Actually, I understood that :
1/ If a user want to login: he completes the form, React get Data from form and make a post request of these infos to Rails API.
2/ Rails API get theses infos check in the db if infos match with a registered user, if it is then Rails API will create a JWT token and will send this token to React.
User is now logged in because Rails API found a matched user.
3/ React receive the JWT token. ( ?? what the usage of this token ?? )
thanks
My response is not specific to Rails/React, but rather to all web technologies using JWT tokens:
What you said is correct. From point 3 forward, all the requests made from React to the Rails backend will have to contain the header Authorization: Bearer <token>.
When Rails sees that header, it is able to:
checks the token is valid, by checking its signature
decode it and extract any info stored in it.
Remember that JWT tokens can contain any info the backend wants to store in it. And the client is not able to tamper it, because it is signed cryptographically and it would invalidate its signature.
The above properties (the fact you can store anything in it, that the frontend sends it with every request and that nobody can tamper it) help any web application being able to:
have a shared nothing architecture - because the session is stored completely on the UI, so any backend worker/machine can handle any request
store more info in the session than if they'd use signed cookies for sessions.
Since you are return api . And react is consuming it.
Jwt help to return data you might need to persist in your frontend in react tho. Data like user name or email.
Example : making the header of your website show a user is logged in.
Since you are return api . And react is consuming it.
Jwt help to return data you might need to persist in your frontend in react tho. Data like user name or email.
Example : making the header of your website show a user is logged in.
The main aim of jwt in frontend is basically auth.
Apart .
If you are using a monolith app u deal with session for user
In react case jwt stands in as the session
The main aim of jwt in frontend is basically auth or other.
Apart . If you are using a monolith app remeber u deal with session for user In react case jwt stands in as the session

How to read cookies in rails app set by some different application

I need to read cookies set by some different application into my rails application. both the application is running under common SSO (authentication) and when the user successfully authenticated he first redirected to the first application (Node/Express app) which write some data into browser cookies and then when the user clicks on some button which loads my rails application. it will create a rails session. I need to set some variables reading from the cookie set by node/express application.
Assuming your SSO cookie is named "sso_cookie", to read the cookie: cookies[:sso_cookie]. To update the cookie: cookies[:sso_cookie] = 'new-value'.
See ActionDispatch::Cookies.

Oauth 2 autentication from a desktop or console app

I am trying to authenticate to an Oauth 2 service from a console app.
When opening the authorization server with the browser (Process.Start...) to authorize the app I should pass a callback url to receive the auth_code.
I tried to insert inside the app a webservice to be called back (servicestack), but it is not accessible from outside (localhost) and also if called is not receving the auth_code.
Is there a more effective and elegant way to do desktop authorization for Oauth 2.0 service?
Desktop application can use PIN based authorisation.
For example:
http://www.voiceoftech.com/swhitley/index.php/2010/02/twitter-oauth-with-net-for-the-desktop/

how to login to an authlogic rails form from an iphone client

I have a server side app written in Rails using the authlogic plugin. I am not sure how to login to the rails app from my iphone client. I think I know how to write get/post code in Obj C, but I'm not sure what the best approach is of authenticating with my rails server. Here is what the server side HTML looks like when you go to this URL:http://localhost:3000/user_sessions/new : http://pastie.org/596279
To authenticate from your iPhone app you will need to:
Disable cross site request forgery for the form actions
HTTP POST user_session[username] and user_session[password] to your FQDN + '/user_sessions'
Capture the session cookies returned from the site (and return these with subsequent requests) to take further actions in the application.
Depending on what your overall goal is, it might be better to write a custom authentication piece that would use the iPhone's internal ID and a combination of the username and password to create unique token to use for the session on the site.

Resources