cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need Help with the concept of XSUAA

former_member25214
Participant

on ‎04-26-2021 11:01 AM

0 Kudos

Greeting,

I have a server built on express.js. I implemented basic authentication flow in my application using local strategy from passport.

The user sends a POST request for signup on my server. I save the credentials in my HANA database after encryption.

When user sends a login request it checks for the credentials in Hana and sends the appropriate response to the user. This is my current flow.

I was exploring XSSEC module in Nodejs and I tried to implement it. I'm using a default strategy which I found in the example 

app.use(passport.initialize());
passport.use("JWT", new xssec.JWTStrategy(xsenv.getServices({
  uaa: {
    tag: "xsuaa"
  }
}).uaa));

When I tried to access my dummy route (GET"/dummy") it sends me unauthorised response in postman. After exploration I was able to get the token from UAA instance.

While doing the configuration of my postman request I have to send my credentials in Access Token URL : /oauth/token?grant_type=password&username=dummy@dummy.com&password=dummy

These are my SAP Cloud Platform credentials if its wrong then I'll not be able to get the token.

My question:


My application is hosted on SAP Cloud Platform and the users are general public. The application is very similar to Facebook or Twitter.

I want to use my HANA database as a source instead of SAP Cloud platform. How do I do that ? Is it possible, or should I continue with my current implementation?

I hope the question is clear, if not let me know in the comments.

Thanks

Show replies
Show replies
gregorw
Active Contributor
‎04-27-2021 8:08 PM

Just out of curiosity what did you use for encryption? I hope you mean that you used a hash with a salt for the password. And I simply can just warn you. Never invent authentication, password storage on your own. Use proven services like the SAP Identity Authentication, Azure AD or Azure AD B2C or AWS Cognito.

gregorw
Active Contributor
‎04-27-2021 8:09 PM
0 Kudos

And why are you not using CAP for the service?

former_member25214
Participant
‎04-28-2021 5:15 AM
0 Kudos

Yes I have used Hash with salt.

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎04-26-2021 11:15 AM
0 Kudos

Hi,

first: yes, you should protect your server endpoints with xssec and JWTStrategy

second: to authenticate, there are several possibilities. Not required to send pw in URL.
Typically, user´-centric applications do use the approuter. User will hit approuter and the approuter will help with login. Approuter takes care to send login-screen.
There's a little series of tutorials for approuter-beginners, please check here:
https://blogs.sap.com/2019/06/13/sap-cloud-platform-backend-service-tutorial-24-understanding-app-ro...

I can send you few more examples for securing your app endpoint with JWTStrategy.

However, I cannot answer your question where your users are stored. The XSUAA-server is connected to an IDP which stores your users, so you wouldn't do it manually.
If you try it in Trial, you can add users manually in the Cloud Platform cockpit

Cheers,
Carlos

Show replies
Show replies
former_member25214
Participant
‎04-26-2021 1:09 PM
0 Kudos

Question:

As I can't add my users manually in production Cloud Platform cockpit, the application can have 10s of thousands of active users.

Is seems IDP is required if I want to use XSUAA and xssec node module. If I don't have it, then either I create my own custom IDP or do not use XSUAA for my app.

Is my understanding correct ?

Thanks.

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎04-26-2021 1:16 PM
0 Kudos

yes, you can connect your own IDP

Ask a Question