Difference between revisions of "WebFund 2014W: Tutorial 4"

From Soma-notes
Jump to navigation Jump to search
 
(2 intermediate revisions by one other user not shown)
Line 6: Line 6:
Because we are using SSL, you will need to connect to https://localhost:3000 rather than the standard http address.  You will also get a warning about the self-signed certificate; this is normal.  However, you may want to try examining the certificate to see what information it contains.
Because we are using SSL, you will need to connect to https://localhost:3000 rather than the standard http address.  You will also get a warning about the self-signed certificate; this is normal.  However, you may want to try examining the certificate to see what information it contains.


The sample express application is [http://homeostasis.scs.carleton.ca/~soma/webfund-2014w/T4/auth-ssl-demo.zip auth-ssl-demo].
The sample express application is [http://homeostasis.scs.carleton.ca/~soma/webfund-2014w/T4/auth-ssl-demo.zip auth-ssl-demo].


Note that if you were doing authentication in a real application, you should probably use a more mature solution like [http://everyauth.com/ everyauth] or [http://passportjs.org/ Passport]; however, this solution does follow standard practice of storing the password in a form that is (somewhat) hard to reverse (hashed and salted) and we are only transmitting it over an encrypted channel.
If you were doing authentication in a real application, you should probably use a more mature solution like [http://everyauth.com/ everyauth] or [http://passportjs.org/ Passport]; however, this solution does follow standard practice of storing the password in a form that is (somewhat) hard to reverse (hashed and salted) and we are only transmitting it over an encrypted channel.


You should get the application running, look at the code, and then attempt to answer the questions below about the code and make the suggested modifications.
You should get the application running, look at the code, and then attempt to answer the questions below about the code and make the suggested modifications.


===Note for Windows users===
===Running the code outside of the class VM===


This code uses OpenSSL's implementation of bcrypt. Thus building this on Windows machines can be tricky if OpenSSL is not installed.  See [https://npmjs.org/package/bcrypt the node bcrypt package documentation] for more information on how to use this on Windows.
Note that if you are running this code outside of the class VM, you will probably need to delete the node_modules directory and run <tt>npm install</tt> as some of the modules for this class use native code.  In particular, this code uses OpenSSL's implementation of bcrypt.
 
<tt>npm install</tt> should work fine on Linux as they often include OpenSSL as part of the standard development environment.
Thus building this on Windows machines can be tricky, however, as OpenSSL is not installed normally; you'll have to install it separately in addition to Visual Studio.  See [https://npmjs.org/package/bcrypt the node bcrypt package documentation] for more information on how to get it to run on Windows.


A reasonable question here is, why not use a JavaScript implementation of the crypto primitives?  They do exist; however, you should always use CERTIFIED IMPLEMENTATIONS of cryptography in your applications.  If it hasn't been properly tested and evaluated, you are running very very serious risks.  Friends don't let friends implement cryptography for anything except personal entertainment!
A reasonable question here is, why not use a JavaScript implementation of the crypto primitives?  They do exist; however, you should always use CERTIFIED IMPLEMENTATIONS of cryptography in your applications.  If it hasn't been properly tested and evaluated, you are running very very serious risks.  Friends don't let friends implement cryptography for anything except personal entertainment!
Line 36: Line 39:
# The <tt>routes.register()</tt> has multiple nested functions.  What do each of them do, and why are they nested the way they are?
# The <tt>routes.register()</tt> has multiple nested functions.  What do each of them do, and why are they nested the way they are?
# What is <tt>toArray()</tt> doing in the calls to <tt>find()</tt>?  Specifically, what does the syntax mean, and why is the toArray() call necessary?
# What is <tt>toArray()</tt> doing in the calls to <tt>find()</tt>?  Specifically, what does the syntax mean, and why is the toArray() call necessary?
# Type <tt>mongo</tt> to connect to the running mongodb instance on your machine.  What do the following commands do?
# Type <tt>mongo</tt> to connect to the running mongodb instance on your machine.  What do the following commands do? What does this show you about how passwords are stored in this application?
      help
       show dbs
       show dbs
       show collections
       show collections
       use auth-session-demo
       use auth-hash-demo
       db.sessions.find()
       db.sessions.find()
       db.users.find()
       db.users.find()
       db.system.indexes.find()
       db.system.indexes.find()

Latest revision as of 09:59, 31 January 2014

In this tutorial we will be playing with a program that is similar to last tutorial's sessions demo except that we now:

  • authenticate the user with a password,
  • secure communication using https (using a self-signed SSL certificate), and
  • have persistence across server restarts.

Because we are using SSL, you will need to connect to https://localhost:3000 rather than the standard http address. You will also get a warning about the self-signed certificate; this is normal. However, you may want to try examining the certificate to see what information it contains.

The sample express application is auth-ssl-demo.

If you were doing authentication in a real application, you should probably use a more mature solution like everyauth or Passport; however, this solution does follow standard practice of storing the password in a form that is (somewhat) hard to reverse (hashed and salted) and we are only transmitting it over an encrypted channel.

You should get the application running, look at the code, and then attempt to answer the questions below about the code and make the suggested modifications.

Running the code outside of the class VM

Note that if you are running this code outside of the class VM, you will probably need to delete the node_modules directory and run npm install as some of the modules for this class use native code. In particular, this code uses OpenSSL's implementation of bcrypt.

npm install should work fine on Linux as they often include OpenSSL as part of the standard development environment. Thus building this on Windows machines can be tricky, however, as OpenSSL is not installed normally; you'll have to install it separately in addition to Visual Studio. See the node bcrypt package documentation for more information on how to get it to run on Windows.

A reasonable question here is, why not use a JavaScript implementation of the crypto primitives? They do exist; however, you should always use CERTIFIED IMPLEMENTATIONS of cryptography in your applications. If it hasn't been properly tested and evaluated, you are running very very serious risks. Friends don't let friends implement cryptography for anything except personal entertainment!

Having said that, you should be able to get the code working using pure JavaScript with bcryptjs or bcrypt-nodejs packages with minor changes to the application.


Questions

You will get full credit for this tutorial for attending and showing a TA that you can at least answer a few of the questions below. You are highly encouraged, though, to try and answer all of the following during tutorial.

  1. What is the difference between the Login and Register button on the initial screen? Do they work the same way?
  2. Generate your own SSL certificate for the application. How do you know you succeeded?
  3. MongoDB's "tables" are collections; they are grouped together into databases. What MongoDB database is used by this application? What collections?
  4. How long before this app's session cookies expire?
  5. Do sessions and user accounts persist across web application restarts?
  6. Once the application is running successfully, kill the MongoDB server and see how the application behaves when you attempt to register a new user. Does it "succeed" or does it report an error? Is the user properly registered? (You can stop and start the server in the VM using the command sudo service mongodb stop and sudo service mongodb start, respectively.)
  7. In the POST function for /login, it processes a username and password supplied by the user. How are they accessed? Where did this information come from? And, are they validated in any way?
  8. Why are there three arguments to the app.get()'s, rather than the previous two?
  9. How can you change this app to list all of the currently logged in users on /users?
  10. The routes.register() has multiple nested functions. What do each of them do, and why are they nested the way they are?
  11. What is toArray() doing in the calls to find()? Specifically, what does the syntax mean, and why is the toArray() call necessary?
  12. Type mongo to connect to the running mongodb instance on your machine. What do the following commands do? What does this show you about how passwords are stored in this application?
      help
      show dbs
      show collections
      use auth-hash-demo
      db.sessions.find()
      db.users.find()
      db.system.indexes.find()
Retrieved from "https://homeostasis.scs.carleton.ca/wiki/index.php?title=WebFund_2014W:_Tutorial_4&oldid=18542"