reactjs – React and Firebase authentication system

import firebase from "firebase/app";
import "firebase/auth";

const firebaseConfig = {
  apiKey: process.env.REACT_APP_API_KEY,
  authDomain: process.env.REACT_APP_AUTHDOMAIN,
  databaseURL: process.env.REACT_APP_BASEURL,
  projectId: process.env.REACT_APP_PROJECT_ID,
  storageBucket: process.env.REACT_APP_STORAGEBUCKET,
  messagingSenderId: process.env.REACT_APP_MESSAGING_SENDER_ID,
  appId: process.env.REACT_APP_APP_ID,
  measurementId: process.env.REACT_APP_MEASUREMENT_IDenter code here
};

// Initialize Firebase
const fire= firebase.initializeApp(firebaseConfig);
const firebaseAuth = firebase.auth();

export default fire;

So this is my firebase.js file and I’m trying to use the authentication system, but it’s not working and I’m getting this error “TypeError: firebase__WEBPACK_IMPORTED_MODULE_6_.default.auth.onAuthStateChanged is not a function”. Also I have imported the firebase file everywhere I’m using it so I’m nto sure what’s wrong because for some reason obviously I can’t access the auth functions.

Any help is appreciated”!!

one time password – Protecting OTP based authentication

Let’s say I have a website which uses 4 digit OTP based authentication for login i.e. users will enter their mobile number, receive OTP on the entered mobile number, enter the received OTP to login successfully.

I have an approach on how to crack such a login based mechanism if I have access to a subset of all registered mobile numbers, and I want to know whether it will work and if yes how to protect against the same.

Let’s say I have a list of 100,000 mobile numbers registered/using such a website.

Now, I will do the following process multiple times.

  1. Pick a previously unused phone number from the list of registered phone numbers.
  2. Hit the service to send an OTP to the registered phone number ( which I do not have access to ).
  3. The website in background will generate a random OTP and send it to the registered mobile number.
  4. I will generate a random 4 digit OTP and try to login using the same.

Now, the probability of the above process succeeding is: 10000 / (10000 * 10000) => 1 / 10000,
because in every process a pair of 10,000 faced dice are rolled, and above is the probability that both of them will have same number on the top.

So, if I repeat the above process at least 10000 (expected value to get a match) times, I should be able to login using at least one phone number with high probability, right ?

is it possible to add an oauth2 based user authentication provider to sharepoint server

I should start by saying this is the first time i’m dealing with sharepoint user auth. One of my customer requires users from different identity providers to be able authenticate their users to sharepoint sites within the organization.

Currently we are using the standart AD LDAP auth method but I’m looking for a way to add another auth provider. The information i have is as follows:

They have an oauth2 based identitiy provider system in-house developed software. And they told me they have ldap as authentication provider. I also recieved a postman json file for oauth2 protocol they used. But that doesn’t mean much to me at this point.

Please let me know if the above information is enough. If not i’ll ask for more information that you might require to provide a solution.

edit: the said ldap integration was for ad user to authenticate through custom oauth2 based identity provider. At first i thought it would work between oauth2 and sharepoint but that isnt the case.

edit2: would it be possible to create asp.net forms auth page that talks with oauth2 protocols given in json file below? And add that fba to sharepoint auth provider list?

{
    "info": {
        "_postman_id": "7035aaf2-e7c6-40d9-890d-e9f80b5b01dc",
        "name": "OAUTH2Protokol",
        "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
    },
    "item": (
        {
            "name": "GetAuthentication",
            "event": (
                {
                    "listen": "test",
                    "script": {
                        "id": "b6bbbcfe-9521-47ce-9c5f-fa221103559f",
                        "exec": (
                            "var data = JSON.parse(responseBody);",
                            "",
                            "pm.test("Access Token recieved", function(){",
                            "",
                            "    responseBody.has('access_token')",
                            "",
                            "});",
                            "",
                            "pm.environment.set("token", "Bearer "+ data("access_token"));"
                        ),
                        "type": "text/javascript"
                    }
                }
            ),
            "request": {
                "auth": {
                    "type": "basic",
                    "basic": (
                        {
                            "key": "password",
                            "value": "web_secret",
                            "type": "string"
                        },
                        {
                            "key": "username",
                            "value": "web_app",
                            "type": "string"
                        }
                    )
                },
                "method": "POST",
                "header": (
                    {
                        "key": "Content-Type",
                        "name": "Content-Type",
                        "value": "application/x-www-form-urlencoded",
                        "type": "text"
                    }
                ),
                "body": {
                    "mode": "urlencoded",
                    "urlencoded": (
                        {
                            "key": "username",
                            "value": "**TCKN**",
                            "type": "text"
                        },
                        {
                            "key": "grant_type",
                            "value": "password",
                            "type": "text"
                        },
                        {
                            "key": "password",
                            "value": "**PASSWORD**",
                            "type": "text"
                        },
                        {
                            "key": "scope",
                            "value": "scopenamehere",
                            "type": "text"
                        }
                    ),
                    "options": {
                        "raw": {
                            "language": "json"
                        }
                    }
                },
                "url": {
                    "raw": "https://subdomain.domain.gov.tr/oauth/token",
                    "protocol": "https",
                    "host": (
                        "subdomain",
                        "domain",
                        "gov",
                        "tr"
                    ),
                    "path": (
                        "oauth",
                        "token"
                    )
                }
            },
            "response": ()
        },
        {
            "name": "GetAuthenticationLDAP",
            "event": (
                {
                    "listen": "test",
                    "script": {
                        "id": "b6bbbcfe-9521-47ce-9c5f-fa221103559f",
                        "exec": (
                            "var data = JSON.parse(responseBody);",
                            "",
                            "pm.test("Access Token recieved", function(){",
                            "",
                            "    responseBody.has('access_token')",
                            "",
                            "});",
                            "",
                            "pm.environment.set("token", "Bearer "+ data("access_token"));"
                        ),
                        "type": "text/javascript"
                    }
                }
            ),
            "request": {
                "auth": {
                    "type": "basic",
                    "basic": (
                        {
                            "key": "password",
                            "value": "web_secret",
                            "type": "string"
                        },
                        {
                            "key": "username",
                            "value": "web_app",
                            "type": "string"
                        }
                    )
                },
                "method": "POST",
                "header": (
                    {
                        "key": "Content-Type",
                        "name": "Content-Type",
                        "type": "text",
                        "value": "application/x-www-form-urlencoded"
                    }
                ),
                "body": {
                    "mode": "urlencoded",
                    "urlencoded": (
                        {
                            "key": "username",
                            "value": "**EMAIL-company**",
                            "type": "text"
                        },
                        {
                            "key": "grant_type",
                            "value": "password",
                            "type": "text"
                        },
                        {
                            "key": "password",
                            "value": "**EMAIL-PASSWORD**",
                            "type": "text"
                        },
                        {
                            "key": "scope",
                            "value": "scopename",
                            "type": "text"
                        }
                    ),
                    "options": {
                        "raw": {
                            "language": "json"
                        }
                    }
                },
                "url": {
                    "raw": "https://subdomain.domain.gov.tr/oauth/token",
                    "protocol": "https",
                    "host": (
                        "subdomain",
                        "domain",
                        "gov",
                        "tr"
                    ),
                    "path": (
                        "oauth",
                        "token"
                    )
                }
            },
            "response": ()
        }
    ),
    "protocolProfileBehavior": {}
}

2 person 2-factor authentication? – Information Security Stack Exchange

I’m trying to build a system as follows:

  • User 1 is a low permission user. They will be using their phone and at some point will need to do a secure action.
  • User 2 is an admin user and will be in the same room as user 1.
  • User 2 will generate a temporary code on their own device (could be a phone or desktop), and then verbally give the code to user 1.
  • User 1 will then enter the code given to them to complete the secure action.

Ideally, neither user 1 nor user 2 will reveal their account usernames to each other. The only thing that will be exchanged is the code.

The backend system I am using to build the basic user authentication is in ASP.NET Core MVC & Asp.net Identity, and this will include an API to validate and generate the codes.

Anyone have any ideas about how to implement the code generation and validation?
Potentially the codes will need to be long enough to identify which admin user requested the code (and thus approved the action), but hopefully not too long to become unwieldy (maybe 6-8 characters?)

(I posted this to stack overflow: https://stackoverflow.com/questions/64073338/2-person-2-factor-authentication
but was recommended to post on this site. )

What is 2-Factor Authentication? – Low End Box

What is 2-Factor Authentication?This article was contributed by Dustin B. Cisneros from RackNerd. If you are looking for a new VPS or web hosting service, be sure to check out RackNerd’s latest LowEndBox specials!

In this article, we will be talking about a more generic and broad topic that is important to all of us internet users, whether it be related to LowEndBoxes or otherwise. Inspired by a surge in digital security threats and vulnerabilities on the Internet recently, in this topic we will talk about 2-Factor Authentication, and tell you all about it and why you should use it for your online accounts (such as your e-mail accounts).

What is 2-Factor authentication?

2FA is a form of multi-factor authentication; it makes use of two factors of different types to authenticate a user. The first factor could be a password, while the second factor can differ and include things such as a one-time password that you receive on your mobile phone.

The majority of websites and applications now use 2-Factor authentication. You might already have used 2FA in the form of biometric verification, where only your fingerprint, along with a password, can authenticate your identity.

There are different ways in which 2FA is implemented. The most common way is that you provide your password as the first factor. The website server then verifies the given password with the stored encrypted password – and if it matches, it takes you to the second factor. In the second step, you are sent a one-time password or a PIN to your stored phone number. You would only be able to access your account when you enter that OTP or PIN.

Other second authentication factors can include the use of email, smartphone apps, biometric verification, and even physical devices such as RFID cards and tokens. 

Why is 2-Factor authentication important?

Nowadays, using only a single layer of protection, such as a password, is not secure enough. There are numerous ways in which a password can be stolen or cracked.

With the increase in computing power, brute force attacks are getting more frequent. Moreover, what makes it all worse is the use of weak and short passwords. Passwords such as “password123” are still commonly used, even though they can be easily cracked or even guessed.

The problem with only using a password is that it is difficult to remember a strong password. Therefore, people tend to use easy and memorable passwords. Additionally, passwords are also potentially exposed to threats such as keylogging and data recovery of old storage drives.

Thus, the use of 2-Factor authentication provides a safety net for your online accounts. Even if the attacker has your password, your account will remain secure as long as they don’t have access to the second factor. That is why the second factor is something that only you have access to, such as a mobile phone or an RFID key.

However, devices such as mobile phones and keys can also be stolen; thus, in high-security environments, the use of 3FA (3-Factor Authentication) has started. 3FA can include a password, an OTP, and biometric verification used together.

Jon Biloh

I’m Jon Biloh and I own LowEndBox and LowEndTalk. I’ve spent my nearly 20 year career in IT building companies and now I’m excited to focus on building and enhancing the community at LowEndBox and LowEndTalk.

authentication – Differences between AspNetUserToken and custom made JWT token in .NET Core 3.0

I’m working on a small side-project API and I wanted to implement JWT authentication. I already made some API with JWT and always made custom implementation and validation.

This time, I wanted to use Identity/Entity Framework to go faster and to use the tools that are already made for me.

While doing the GenerateToken method and looking through the internet, I noticed that a lot of the tables created by IdentityFramework are not used. And I got interested in AspNetUserToken.

I noticed that instead of

private object GenerateToken(IdentityUser user)
{
    var tokenHandler = new JwtSecurityTokenHandler();
    var key = Encoding.UTF8.GetBytes(ApiConfig.JwtSecretKey);

    var tokenDescriptor = new SecurityTokenDescriptor
    {
        Subject = new ClaimsIdentity(new Claim()
        {
            new Claim(ClaimTypes.Name, user.UserName),
            new Claim(ClaimTypes.Email, user.Email),
        }),
        Expires = DateTime.UtcNow.AddSeconds(double.Parse(ApiConfig.JwtExp)), //TODO: Try parse
        SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature),
        Audience = ApiConfig.JwtAudience,
        Issuer = ApiConfig.JwtIssuer
    };
    var token = tokenHandler.CreateToken(tokenDescriptor);
        
    return tokenHandler.WriteToken(token);
}

Which I used to generate a new JWT token, add the claims, issuer, audience, etc… Could maybe be replaced by this :

//Removes existing token
_userManager.RemoveAuthenticationTokenAsync(user, "lboard", "login"); 
//Creates a new one
var newToken = await _userManager.GenerateUserTokenAsync(user, "lboard", "login");
//Set the new token for the user 
await _userManager.SetAuthenticationTokenAsync(user, "lboard", "login", newToken);

I would like to know what are the differences between the two methods, and if there are any benefits of using a custom implementation or if I’m better off with the IdentityFramework one.