Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5810

Abstract

div id="2fc2"><pre>npm install express express-session keycloak-connect nodemon</pre></div><h2 id="592f">Define main execution file — app.js</h2>Add a file named app.js at the root level of your secure-express-service project.Define imports and express app<div id="54ca"><pre>// file - app.js

const express = require('express'); const session = require("express-session"); const Keycloak = require("keycloak-connect");

const app = express(); const PORT = 3000;

...</pre></div>Setup Keycloak Middleware<div id="cefb"><pre>// file - app.js

...

const USER_ROLE = process.env.USER_ROLE || 'express-user'; const ADMIN_ROLE = process.env.ADMIN_ROLE || 'express-admin';

const kcConfig = { clientId: process.env.AUTH_CLIENT_ID || 'secure-express-service', bearerOnly: true, serverUrl: process.env.AUTH_SERVER || 'http://localhost:8080', realm: process.env.AUTH_REALM || 'master' };

const memoryStore = new session.MemoryStore();

Keycloak.prototype.accessDenied = function (request, response) { response.status(401) response.setHeader('Content-Type', 'application/json') response.end(JSON.stringify({ status: 401, message: 'Unauthorized/Forbidden', result: { errorCode: 'ERR-401', errorMessage: 'Unauthorized/Forbidden' } })) }

const keycloak = new Keycloak({ store: memoryStore }, kcConfig);

function adminOnly(token, request) { return token.hasRole(realm:${ADMIN_ROLE}); }

function isAuthenticated(token, request) { return token.hasRole(realm:${ADMIN_ROLE}) || token.hasRole(realm:${USER_ROLE}); }

app.use(session({ secret: process.env.APP_SECRET || 'BV&%R*BD66JH', resave: false, saveUninitialized: true, store: memoryStore }));

app.use( keycloak.middleware() );

...</pre></div>Setup REST endpoint and server<div id="5fc0"><pre>app.get('/public', (req, res) => { res.status(200).send({ <span class="hljs-string

Options

">'message': "This is a public enpoint which can be accessed by anonymous users", }); })

app.get('/secured', [keycloak.protect(isAuthenticated)], (req, res) => { res.status(200).send({ 'message': "This is a secured enpoint which can be accessed by any authenticated user", }); })

app.get('/secured-admin', [keycloak.protect(adminOnly)], (req, res) => { res.status(200).send({ 'message': "This is a secured enpoint which can be accessed only by any authenticated user with role admin", }); })

app.listen(PORT, (error) => { if (!error) { console.log("Server is Successfully Running, and App is listening on port " + PORT) } else { console.log("Error occurred, server can't start", error); } } );</pre></div><h2 id="a530">Update package.json scripts to run server</h2><ul><li>Update the content in the scripts section of package.json as below. It will help you run your express server in both development and production mode</li></ul><div id="6d0e"><pre> "scripts": { "start": "node app.js", "dev": "nodemon app.js" },</pre></div><ul><li>Start your express server in development mode(auto-reload on file change) using the below command</li></ul><div id="464c"><pre>npm run dev</pre></div><h1 id="1699">Testing your REST APIs</h1><h2 id="f8a6">Public Endpoint— http://localhost:3000/public</h2><ul><li>Even without an authentication token, this endpoint will fetch a response.</li></ul><figure id="74df"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*xjvkOCdQJ5VIolwBtu-TWg.png"><figcaption></figcaption></figure><h2 id="f796">Secured Endpoint — http://localhost:3000/secured</h2><ul><li>Without a token, you should get an authentication error</li></ul><figure id="ad69"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*rSANl9_J1BRma6p1UjgLPg.png"><figcaption></figcaption></figure><ul><li>Let’s set up the Authorization tab to generate a token using the Configure New Token section. You can use the values below.</li></ul><div id="3d60"><pre>Token Name - secure-express-service Grant type - Password Credentials Access Token URL - http://localhost:8080/realms/master/protocol/openid-connect/token Client ID - secure-express-service Username - user@nerdcore.com Password - Client Authentication - Send as basic auth header</pre></div><figure id="5d0e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*AEhl6BHxVPT5J6X6wKnxGg.png"><figcaption></figcaption></figure><ul><li>Click on Get New Access Token, then Proceed, then Use Token</li></ul><figure id="ea60"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*t7pdQRYhqsnhK_NDBSD19g.png"><figcaption></figcaption></figure><figure id="55e0"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*MwMrf1npagIRpGmXEfOWcw.png"><figcaption></figcaption></figure><ul><li>Now fire the /secured rest endpoint again, and you will get a successful response.</li></ul><figure id="e106"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*xsq6E7TWbMeTHXzNEQMD1Q.png"><figcaption></figcaption></figure><h2 id="97a4">Secured Admin Endpoint — http://localhost:3000/secured-admin</h2><ul><li>If you try to access the endpoint without any token — Auth error</li><li>If you try to access the endpoint with the token from [email protected] — Auth error</li><li>If you try to access the endpoint with the token from [email protected] — Success</li></ul>You can find the GitHub repository <a href="https://github.com/saurav-samantray/secure-express-service">here</a> for reference.Happy learning and happy coding!</article></body>

Using Personal Access Tokens With A GitHub Organization

ACM.478 If you are using a personal access token a GitHub organization can help you manage those tokens more securely.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Application Security | Secure Code | Github Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I wrote about setting up an organization and an enterprise in GitHub.

Set up a GitHub Organization or Enterprise

ACM.477 Add additional security to your account with an upgraded GitHub account

medium.com

Now I’m going to explain how to use personal access tokens in an organization if you are doing that. Whether or not you should be using tokens is a discussion for another day. I hope to be trying out some other options in future posts as time allows.

In order to use personal access tokens with an organization, you first have to click on personal access tokens on the left. Then you have to enroll in that functionality.

Restrict use of classic personal access tokens which are not fine grained tokens.

Click on Active Tokens in the settings menu for your organization. See the prior post for more on GitHub organizations and enterprises if you’re not familiar already.

Initially there are no tokens here and no way to create them. They need to be created by a user.

As you can see above I require an administrator to approve them when created.

Now what I can do is create a user that only has access to my test repositories not my production repositories, even if the user has access to all of them.

Click on your user on the top right of the screen.

Click Your profile in the menu.

Click on Settings.

Scroll down and click on Developer settings.

Generate a new fine-grained token.

Choose your organization.

Once you do that you can limit the permission to select repositories and actions.

I’ve written about limiting permissions in other posts.

Git, GitHub, and AWS CodeCommit Security

Stories about securing git, GitHub, and your code

medium.com

In this case, I am going to limit permissions to my test repositories only and not grant the token that is developing the code permission to access the public repositories.

Next under permissions I can specify which actions I want this token to be able to perform. Note that I was very confused once when adding repositories and failed to select any permissions and the repository never got added to my account even though there was no error message telling me I did anything wrong. Make sure you select some permissions.

There’s also a section for organization permissions which you can configure if you are allowed to perform these actions.

To develop code I only really need these actions:

The metadata action is required by default.

You may need other things depending on what functionality your organization allows, uses, and your particular responsibilities, but if you are using a token only for working with code, limit your token to that. Create a separate token with no access to edit code but that has access to do other things if required that can be used for automation.

Click Generate token.

You’ll see a token below. Make sure you copy it and save it somewhere safe as you won’t be able to see it again once you close this screen.

The best thing to do is put it in something like AWS Secrets Manager and use it from there as I’ve written about before in other Git and GitHub posts which you can read via the above link.

Return to the organization settings and click on Personal Access Tokens. Now you can see the token I just created as a user.

If I was not an administrator then an administrator would have to authorize this token before I could use it. You may want to have separate people authorizing tokens from those who can use the tokens. I always try to design security so the person granting the access is not the one using the access to help make it harder for an attacker to have access to all the things.

You can click on the token, see what access and permissions the token has, and revoke the token if needed.

Of course you might want to automate some of this token evaluation with a script so you can easily find excessive permissions or scour the logs for sensitive actions at unexpected times or from unexpected locations, for example, possibly with the help of canaries.

One of the best sources to explain what canaries are is a company that specializes in services for creating and monitoring them. I saw the founder of this company speak at BlackHat one year and was very impressed, though I haven’t used the service.

What are Canarytokens?

Canarytokens are a simple way to tripwire things. An old concept, they can be super useful (and are trivial to use) but…

help.canary.tools

Canaries have helped uncover some major breaches. Maybe a topic for another post later.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab