Using a single database for managing authentication across various websites

I'm new to setting up websites this way and could really use some advice on my unique situation.

Here's the setup:

  • I have two separate websites, WS1 & WS2, each with their own domain names. Both sites point to the same IP address using nginx server blocks and have SSL set up for security. I plan to use Express.js with ArangoDB, where I can add additional databases to separate the two sites in the backend if needed.

The issue at hand:

  • Both sites will sometimes need to access the same database information. I want to avoid duplicating data, but each site will have different authentication requirements. Each member of each site will have different login credentials and access permissions.

The question is:

  • How can I set this up securely so that accounts from one site cannot access any other site? Do I need to use separate frameworks in each server block? Should I create two separate databases? I appreciate any recommendations on best practices for handling this unique situation.
securityexpressnginxarangodb

Answer №1

The effectiveness of security measures depends on the authorization framework in place.

Authentication verifies the identity of users accessing a site, encompassing details such as user credentials, company/domain affiliation, and assigned role/group permissions.

Authorization outlines the specific access rights granted to each user, company/domain, or role/group within the system.

Familiar methods like cookies and username/password combinations are used for user identification, along with database mapping to link users to their respective company/domain and role/group affiliations.

select userID, company from users where username = ?, $username

select group from groups where userID = ?, $userID

Databases often segregate records by domain/company or role/group, adding corresponding columns for efficient query processing.

select content from companyPages where company = ?

or

select content from groupPages where group in (select group from groups where userID = ?))

It is possible for users from multiple companies/domains to share common group memberships.

In summary:

Select content from pages WHERE
    group in (select group from groups where userID= ?)
    AND company = (select company from users where userID=?);

To implement an effective authorization scheme, it is crucial to align it closely with the underlying data model.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Deploying to AWS S3 without the need to update or modify any

Just a heads up - this is not an EC2 instance I have developed a node.js application to handle requests for images by using app.use("/images", s3Proxy({...})). These images are stored in my AWS S3 bucket and then served. I am uploading images to the bucke ...

node.jsamazon-web-servicesexpressamazon-s3

Retrieve the request URL within the server.js file using Node.js

I am working on my server.js file where I define the server and all its settings. In order to properly set up my server, I need to determine the request URL before declaring those settings. This is important because the settings depend on the specific req ...

node.jsexpress

Issue with Mongoose: Struggling to perform upsert operation within a loop

I need assistance with upserting a document in a specific way. for (var i = 0; i < req.body.app_events.length; i++ ) { console.log(req.body.app_events[i].event_key); //delete upsertData._id; Appusers.update({app_key: req.body.app_key, e_key ...

node.jsmongodbexpressmongoose

Options for Localhost Cookies

I'm currently working on a Chrome Extension that customizes the Google Calendar UI based on configurations stored on my server. Everything is running smoothly in production. However, I'm encountering issues when trying to test it in development. ...

expresscookiesnestjslocalhost

Spring application encountering 404 error following nginx request

My Vue application is connected to two different backend services. One of them uses SpringBoot, which is currently not compatible with nginx. The configuration in my nginx.conf.template file includes: location /apcc { proxy_pass ${APCC_BACKEND_URL}; ...

spring-bootvue.jsnginx

The attribute 'body' cannot be found in the specified 'Request' type

Why does the req variable of type Request not show intellisense for the property body? Could this be related to typings? import { Request, Response } from 'express' import { ok, bad } from './responses' export const signIn: async (req ...

node.jsexpresstypescriptasp.net-web-apitypescript-typings

What are the steps to fix a "Cannot read property" error?

Below is a code snippet that is causing an error in the console. This function is part of the service in my Angular application. lastEmployeeID() //code block with error { let temp= this._http.get(this._employeesUrl).subscribe((employees:any ...

node.jsangularexpressobservable

Failed to access the 'totalQty' property as it is undefined

I have developed a cart object that can hold products in a shopping cart. The issue arises when an item is undefined before it gets added to the cart. How can I ensure that the cart is defined even when it's empty during the session? I am using ejs. ...

javascriptnode.jsexpressejs

utilize javascript variables within an HTML document

I keep encountering a strange error (Express 400 Error: Bad Request) Some lines are translated to the variable value, while others just output an error. This is an example of my code: exports.add_comment = function(req, res){ var id = req.params.id; ...

javascriptnode.jsexpress

dispatch a WebSocket message within a route using Express.js

The Objective: Imagine a bustling marketplace with multiple shops. I'm working on a dedicated page localhost:3000/livePurchases/:storeId for shop owners to receive real-time notifications whenever they make a new sale. https://i.stack.imgur.com/VdNz ...

javascriptnode.jsreactjsexpresswebsocket

Exploring multipart uploads in Express JS 4: Leveraging body parser and dicer for efficient file handling

Currently, with express 4 and body-parser set up as shown below: var bodyParser = require('body-parser'); ... app.use(bodyParser.json()); app.use(bodyParser.urlencoded({ extended: true })); After integrating dicer, it seems like body parser ...

node.jsexpress

Utilize search parameter in Node.js API with express and mysql only when it is specified

I am currently working on a query that looks like this: router.get('/search?', function(req, res, next) { var title = req.query.title; var active = req.query.active; var sql = "SELECT * from users WHERE title = ? AND active = ?"; ...

phpmysqlsqlnode.jsexpress

What are the steps to host a VueJS 3 application from subdirectories using NGINX?

I am facing a challenge in serving multiple VueJS 3 apps from the same NGINX server but from different subfolders. Despite exploring various resources on stack and the web, I have not been able to make things work seamlessly. In total, I have three apps e ...

vue.jsnginx

What is the reason behind the blocking of Ajax GET requests without CORS, while JSONP requests are permitted?

Accessing any page on the web through a GET request using HTML tags from a different origin is possible: <script src="http://example.com/user/post?txt=sample"></script> XHR requests to other origins are blocked for security reasons. For examp ...

javascriptajaxsecuritycors

The Express middleware, when defined using app.param(), can be triggered multiple times within a

In my Express 4 application, I have implemented middleware to trigger every time a specific set of parameters are present in a request: app.param(['mystic', 'donkey', 'toadstool'], function(req, res, next, param) { console. ...

node.jsexpress

What errors have been made on the router at localhost:4000/rooms/book/1?

const express = require("express"); const { body, validationResult } = require("express-validator"); const app = express(); const PORT = 4000; app.use(express.json()); const rooms = []; const booking = []; // creating room app.post( ...

node.jsexpressexpress-validator

Ensuring security protocols to block unauthorized users from accessing the Node.js application code

Given that a user has complete access to all files in the public_html directory, does this imply they could potentially view the code of a node.js application stored within it? This seems like a significant security vulnerability. How should one typically ...

securitynode.js

Exploring the differences between app.set and app.value in Express

In my app.js file, I typically utilize app.set(valName, value) to transmit various configuration values to my routes. After which, I connect the app to my routes by executing: app.use('/', require('./routes/index')(app)); This allow ...

node.jsexpress

Issue: [Issue: ENOENT: the file or directory './1695556319341.mp3' does not exist]

I am currently facing an issue while trying to convert an mp4 file to an mp3 file and then uploading it directly to Firebase storage without saving it locally on my machine. The error I encounter is "Error: [Error: ENOENT: no such file or directory, open ...

javascriptnode.jsfirebaseexpressffmpeg

Yet another error encountered: "Headers cannot be set after they have already been sent to the client" when submitting the form

Whenever I try to submit text to a single-field form on my node.js server, I encounter the following error: Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client at ServerResponse.setHeader (_http_outgoing.js:485:11) ...

javascriptnode.jsformsexpresshttp-headers