Skip to content

Instantly share code, notes, and snippets.

View xeoncross's full-sized avatar

David Pennington xeoncross

560 followers · 76 following
View GitHub Profile
@xeoncross
xeoncross / use-auth.js
Created August 5, 2019 16:12 — forked from timc1/use-auth.js
React Context + Hooks + Firebase Authentication
import React from 'react'
import firebaseConfig from '../path/to/firebase-config'
import firebase from 'firebase/app'
import 'firebase/auth'
import FullPageLoading from '../path/to/full-page-loading'
AuthProvider.actions = {
setUser: 'SET_USER',
toggleLoading: 'TOGGLE_LOADING',
}
@xeoncross
xeoncross / config.js
Created August 4, 2019 04:03 — forked from mccahill/config.js
Example of a node OAuth (Twitter) and OAuth2 (Google Calendar) client that works with the version 3 Express framework. This assumes you have a config.js file holding the keys and secrets
module.exports = {
'HOSTPATH': 'http://your.host.here',
'PORT': 80,
'EXPRESS_SESSION_SECRET': '123456',
'TWITTER_CONSUMER_KEY': 'your-consumer-key-here',
'TWITTER_CONSUMER_SECRET': 'your-secret-here',
'GOOGLE_APP_ID': 'your-app-id-here',
'GOOGLE_CONSUMER_SECRET': 'your-consumer-secret-here',
};
@xeoncross
xeoncross / react_oauth_flow.md
Last active January 18, 2022 17:45
Breakdown of the different ways to handle OAuth flow for single-page apps like reactjs using backends on the same (or different) origin

I'm trying to handle OAuth from a react app. Rather than using an external service like Firebase or AuthO, I would like to handle OAuth login to facebook, google, twitter myself. (Regardless of the backend, OAuth libraries that can verify and trade the token for user info abound).

Here is the basic flow:

  1. React SPA opens seperate [popup/iframe/browser tab] to our server
  2. Our server creates OAuth URL payload and issues redirect to fb/google/twitter
  3. User login on fb/google/twitter redirect back to our server
  4. Our server communicates with React SPA 4.1. If same origin 4.1.1. Using localStorage
@xeoncross
xeoncross / fetchjson.js
Created July 27, 2019 16:08
Basica fetch() wrapper to make sure we always get a JSON response even if there is an error, or the server returns some other content type.
// Look into wrapping fetch so it always returns JSON
export default function fetchjson(url, data, options) {
const defaults = {
// credentials: 'same-origin',
credentials: 'omit',
method: data ? 'post' : 'get',
headers: {
Accept: 'application/json, text/plain, */*',
'Content-Type': data ? 'application/json' : 'text/plain; charset=utf-8',
@xeoncross
xeoncross / dual_router_wrapper.go
Created July 23, 2019 02:34
Example of wrapping both Gorilla/Mux and httprouter while keeping route params in golang
package main
import (
"net/http"
"reflect"
"github.com/gorilla/mux"
"github.com/julienschmidt/httprouter"
)
@xeoncross
xeoncross / go-secure-auth.md
Created July 12, 2019 16:38
Thoughts about securing user sessions using a regular token or JWT along with a HTTPS httpOnly cookie

Secure Auth

A simple plan of avoiding both CSRF attacks and XSS attacks to steal sessions by combining the security of httpOnly cookies over HTTPS/TLS and a hashed token passed back by the client on every request.

The idea is simple, the token can be stolen, but cannot be used unless the attacker also has the secret from the cookie. Likewise, the cookie cannot be used unless the hashed token is also sent.

Since the cookie is httpOnly over HTTPS/TLS, the attacker will never be able to steal the session for use in another client. This means the only attack left is to get the victim to perform actions with a successful XSS attack that can load the hashed token from wherever it is stored (or use the same AJAX request functions), and then it can perform actions (CSRF) using the victims browser (only).

This might seem like only a partial win, but a hack allowing arbitrary Javascript to run on your clients browsers (XSS) leaves you with unavoidably big issues anyway. Both CORS and CSP headers are recommended

@xeoncross
xeoncross / cors_middleware.go
Created July 6, 2019 02:24
Simple CORS middleware for Go as a http.Handler
func HandlePreFlight(h http.HandlerFunc, methods ...string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
methods = append(methods, http.MethodOptions)
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Origin", config.APIAccessControlAllowOriginDomain)
w.Header().Set("Access-Control-Allow-Methods", strings.Join(methods, ", "))
w.Header().Set("Access-Control-Allow-Headers", "Accept, Accept-Endcoding, Content-Type, Content-Length, Authorization, X-CSRF-token")
w.Header().Set("Access-Control-Expose-Headers", "Session-Token")
@xeoncross
xeoncross / sorted_url_values_test.go
Created June 22, 2019 18:10
Example of sorting url.Values from untrusted clients
package main
import (
"fmt"
"log"
"net/url"
"sort"
"testing"
)
@xeoncross
xeoncross / ssr_test.go
Created June 1, 2019 20:19
Example of using chromedp to prerender a create-react-app frontend using fake SSR via chrome headless
package main
import (
"context"
"io/ioutil"
"log"
"strings"
"testing"
"github.com/chromedp/cdproto/dom"
@xeoncross
xeoncross / google_pixel_2_camera-getParameters.md
Last active May 22, 2019 19:16
Parameters provided by the camera API on android for a Google Pixel 2 
var mcamera:android.hardware.Camera = android.hardware.Camera.open(0);
var params:android.hardware.Camera.Parameters = mcamera.getParameters();

console.log(params.flatten());

NativeScript/nativescript-camera#202

Checkout a new project: