Using a NoSQL database and Logins

aschoijett · September 12, 2022, 2:01pm

Hi,
I am thinking of using a nosql database like OrientDB. My initial thinking is to access it from Wappler simply by invoking the database’s REST APIs.

That said, I’m having troubles figuring out how to manage the user security though, starting with the Security Provider.

In my application, I know that I will have more than one user and I don’t want to use a hardcoded list of users. This rules out configuring the security provider’s Type property as “Single” or “List”

The only option left for the Security Provider’s Type is “Database”. But to use that option, I think that I need a Database Connections defined, and when you do that, we know that the only options presented are the Wappler-supported SQL databases.

There is no choice in the security provider to use a REST API to figure out the userid from the passed user credentials.

Is there something that I’m missing here? I’d rather not have to use a SQL database just to keep a replica of the user list just for the login --because like it or not, the nosql database will also want to keep that list to manage access permission to the data.

Has anybody done this before?
Any guidance or thoughts?

Many thanks in advance,

Alex

tbvgl · September 12, 2022, 2:06pm

You could use the built-in JWT signing instead of the standard security providers. Then you can define your user_id as the Subject of the JWT and verify the signature whenever a request hits the backend. You can store the JWT in a session etc.

aschoijett · September 12, 2022, 2:43pm

many thanks!
Is there a tutorial on JWTs?
I’ve seen the acronym but have no idea of how to use them.

Alex

tbvgl · September 12, 2022, 2:46pm

It’s not documented very well in the Wappler docs out of if you want to connect something like Google. I figured it out myself with https://jwt.io/.

Re algorithm I’d recommend going for RS256 if you are using it for logins. I’m using JWT to authenticate external API requests to my Wappler application.

If there is enough demand then I can maybe write a guide.

aschoijett · September 12, 2022, 7:17pm

Any help that you (or any other generous soul in this Forum) can provide would be really appreciated!
I looked at the jwt.io website but frankly I don’t understand most of what I’m reading and more importantly, I don’t get how any of this can replace the steps under Security Provider called Security Provider, Security Identity, Security Login, Security Logout, Security Restrict.

Many thanks,

Alex

tbvgl · September 12, 2022, 7:14pm

I’ll write a guide. I wanted to start writing on Medium so that would be a good first article since I learned about that topic in depth to solve my own application problems over the last couple of days.

canickyp · September 13, 2022, 12:59am

+1

nshkrsh · September 13, 2022, 3:59pm

How we’ve done it is by calling the 3rd party rest api to Auth then doing a security login of wappler. So from that point forward, all other apis are secure via the wappler way.
In such a case we’ll just use single user pass combi on wappler sec pr0v level. Coz the user Auth is anyways handled via api (3rd party or other DB like orient DB in your case)

tbvgl · September 13, 2022, 7:42pm

I’ve published the first part of the JWT guide: JSON Web Tokens