Thank you for implementing 2FA. When verifying TOTP, if the email and code match, it generates an access token without requiring the password. It utilizes the User object to generate the Authentication Object. This means that with just the endpoint, email, and code (excluding the password), an accessToken can be generated, which may not be the intended behavior.
Could you please make a detailed video on how to solve cross-origin issues? It would be great to cover the cause of these issues, how CORS works, and practical solutions like configuring headers in the backend. Thanks!
As software engineer here is seattle waghinston after teaching myself coding for two years , I can tell you are doing an amazing job. I will just purchase your course to update my skills. Thanks a lot
Man, with this video series of yours (especially Spring Security & JWT, JWT Logout and this one), you litteraly saved my end of retraining course exam! I'm changing careers from Sound Engineer to Software Engineer, and you did such a good job explaining abstract concepts that I now see clearer and feel more confident talking about my app's security during the exam! Thank you a lot again, and I'll stick around for the next videos 😉 Take care 😃
A 1000000% request for the cors related video, it's most required and it'll definitely be a great video. Respect from India sir. Thanks for this video. 😊😊
in angular When you use providedIn: 'root' in the service's metadata, you don't need to explicitly add the service to the providers array of the AppModule :)
Amazing video as always ✨✨✨✨ This was very informative and comprehensive. Could you please do a video of social media authentication with Spring boot and a front end framework like Angular. I think that would be awesome !!
Thank you very much! Can you please make videos on how to deploy a Spring Boot application, Angular, with database like MySQL,... on AWS, or Azure? I would be really really really appreciate it! Thank you very much!
Hello, I would like to point out that in the frontend we didn't specify a role nor did we set it to user by default. I may be wrong though. Anyways, another amazing video in an amazing playlist that literally saved my life.
Thank you for your hard work and kindness , Ali i kinda do have a question ::::: the verificationRequest takes in two inputs (email and code) but i see you passed only the code when asked to verify
Hello Mr Ali nice content as always please include the part of oauth2 along with this code of jwt, it’s a sincere request will be waiting for that Thanks
Where can I get or code of spring security where both users are not admin. Eg, you are creating a Doctor and Patient app. Each person login depending on their roles. No admin creates any of them
I have a doubt. Like if an attacker some how hacks gmail and password of any user. Then attacker can also scan the QR code through his\her authenticator app like normal user right?
waiting for logout and refresh token ,i stuck in it for like 2or 3days, when logout i dont have to update the status of expired and revoke, i just remove it in user local storage but not in the database, hope you making another video to address all my confusion
i have a problem the token stored in local in angular is not the same token given by the spring boot, so I can't execute methode neither for admin or user
@@BoualiAli I have another problem when I register with 2fa I can't execute admin methods, I guess the problem is here: if (request.isMfaEnabled()){ user.setSecret(tfaService.generateNewSecret()); } var savedUser =repository.save(user); var jwtToken= jwtService.generateToken(user); var refreshToken = jwtService.generateRefreshToken(user); saveUserToken(savedUser, jwtToken); return AuthenticationResponse.builder() .secretImageUri(tfaService.generateQrCodeImageUri(user.getSecret())) .accessToken("") // here .refreshToken("") //here .mfaEnabled(user.isMfaEnabled()) .build();
i cant update it needs admin role: it works on springboot but it doesn't work on angular com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Cannot construct instance of `org.springframework.security.core.GrantedAuthority` (no Creators, like default constructor, exist): abstract types either need to be mapped to concrete types, have custom deserializer, or contain additional type information at [Source: (org.springframework.util.StreamUtils$NonClosingInputStream); line: 1, column: 403] (through reference chain: com.example.project_test.Entities.Etudiant["authorities"]->java.util.ArrayList[11])
I am building an free application to help senior high school or anyone thinking about returning to school to choose a major based on real-life experiences shared by others, in addition to their degree. people will share experience about their degree and professional career to help others make informal decision. I am not sure if people will want to download the app for two factor authentification. I think will probably prefer email to send to their email address that they could be verify that way What can I go about implement it sir ?
This approach has one fundamental logical error. This is one factor authentication because someone who has access to the phone with Auth App can get token via request "/verify" completely omitting "/authenticate" for example through the Postman application (password is not checked in "/verify"). You should add field "code" to AuthenticationRequest class and if user don't provide it (it's null) and have enabled 2FA then return information that he needs to provide code, if he send another request with correct user, password and code then we return access token. Apart from that, the concept was nicely presented and it was good to watch. Good luck
@@BoualiAli This isn't about that. It's just not 2FA if you can authenticate and get token with just the code from your phone and no password. Other than that, it's a really nice guide. Don't take it personal :)
@@BoualiAli He is right. I checked this video because I made the similar mistake in my app and wanted to see how people solve it with JWT. The answer is you need two JWTs - one for a state "logged in with password, has not logged in with QR", and another for a state "logged in with QR". '/verify' endpoint needs only to be accessible by those with at least the former state
@@lightyear3429 in my first comment I described how I did it in my case :) and it's working great. In my app you can't turn on 2FA on register, but after login in settings like in facebook.
Join the Micro Services course waiting list and get and get an exclusive EARLY-BIRD discount
aliboucoding.ck.page/d0f9317e13
Thank you for implementing 2FA. When verifying TOTP, if the email and code match, it generates an access token without requiring the password. It utilizes the User object to generate the Authentication Object. This means that with just the endpoint, email, and code (excluding the password), an accessToken can be generated, which may not be the intended behavior.
I like this man. He is good and speak very well in English and in French. Proud to discover your RUclips channel
Glad you liked it!
Could you please make a detailed video on how to solve cross-origin issues? It would be great to cover the cause of these issues, how CORS works, and practical solutions like configuring headers in the backend. Thanks!
As software engineer here is seattle waghinston after teaching myself coding for two years , I can tell you are doing an amazing job.
I will just purchase your course to update my skills.
Thanks a lot
Glad you liked it!
Thank you for serving community. I have found this channel upto the mark with good explaination.
This is a good tutorial. Thank you and I wish you more success.
Man, with this video series of yours (especially Spring Security & JWT, JWT Logout and this one), you litteraly saved my end of retraining course exam! I'm changing careers from Sound Engineer to Software Engineer, and you did such a good job explaining abstract concepts that I now see clearer and feel more confident talking about my app's security during the exam! Thank you a lot again, and I'll stick around for the next videos 😉
Take care 😃
I'm really happy to know that.
Wish you all the best
A 1000000% request for the cors related video, it's most required and it'll definitely be a great video. Respect from India sir. Thanks for this video. 😊😊
Happy you liked it!
Sure, soon
First. Thank u for an amazing tutorial
You're welcome 😊
in angular When you use providedIn: 'root' in the service's metadata, you don't need to explicitly add the service to the providers array of the AppModule :)
The HttpClient services is not provided in root
I already explained that in the angular course.
Go and check it 😉
sir, please make a video on Spring Security With Okta.
Check the keycloak video
Solid video! Thank you so much for the free content, it's much appreciated!
You’re very welcome
Amazing idea as always.
Would be best to add refresh token and logout with Angular project.
Great suggestion!
@@BoualiAliany plan to have this video, waiting this to complete the whole authentication and authorization 😊
Solid content and straight forward as usual.
Thank you Alibou!
Happy you liked it!
Exactly what I was looking for, thank you!
Glad I could help!
Quality material✨ Thank you for your hard work!🙇♀
Thank you too!
Happy you liked it!
Amazing video as always ✨✨✨✨ This was very informative and comprehensive.
Could you please do a video of social media authentication with Spring boot and a front end framework like Angular. I think that would be awesome !!
Coming soon!
Thank you very much! Can you please make videos on how to deploy a Spring Boot application, Angular, with database like MySQL,... on AWS, or Azure? I would be really really really appreciate it! Thank you very much!
I’m already working on it
It will be released soon
Hello, I would like to point out that in the frontend we didn't specify a role nor did we set it to user by default. I may be wrong though. Anyways, another amazing video in an amazing playlist that literally saved my life.
That's true, I just didn't want to spend time on that since it is so simple to setup
Thank you for your hard work and kindness , Ali
i kinda do have a question ::::: the verificationRequest takes in two inputs (email and code) but i see you passed only the code when asked to verify
Let me check
@@BoualiAli i only asked because I used React for my frontend .. I figured out a way around it , thanks 🙏🏾
As always u are the best bro 🙏🙌
You are the best ❤️
This is great content. Thank you
Good Job Ali as usually 👍👌
Happy you liked it !
Hello, good video.
Question, what theme do you use in intellij?
the default theme
Lovely tutorial Sir.👏👏
So nice of you
ce playlist c'est une authentification single Sign-on ou non ?
Hello Mr Ali nice content as always please include the part of oauth2 along with this code of jwt, it’s a sincere request will be waiting for that
Thanks
I prepared it, I just need to record it 😅
I’m Trying to manage my time for recording videos as max as possible
Wonderful you're the best sir
Your videos are very good, with what application do you record the cell phone and project it to the computer, could you log in with an LDAP?
It is the default app in the iPhone
Can you make a video about changing the password for the current login user and forget password functionally 🙏
Coming soon.
Amazing video, Thanks
Glad you liked it!
thank you king 👑
My pleasure 😇
This is KGF, #Gold_Mines for #Spring Security JWT with Spring Boot !!
Glad you liked it!
Where can I get or code of spring security where both users are not admin. Eg, you are creating a Doctor and Patient app. Each person login depending on their roles. No admin creates any of them
I would like to know How can we test Service method in the UnitTest.
Use mocks
hi how do you develop roles permission on paper(link) and why hard coded not in db?
Thanks, good video .
Happy you liked it!
bonsoir si ali, vous ferez plus des cours en français?
non :(
Sur Udemy parfois je fais des cours en francais
@@BoualiAli merci :)
Great, thank you.
Glad it was helpful!
I have a doubt. Like if an attacker some how hacks gmail and password of any user. Then attacker can also scan the QR code through his\her authenticator app like normal user right?
If you‘re email is hacked, do you still care about one application among all the lost data, passwords, bank cards…
the best
Implement oauth with angular plus spring boot sir
Sure, good idea
waiting for logout and refresh token ,i stuck in it for like 2or 3days,
when logout i dont have to update the status of expired and revoke, i just remove it in user local storage but not in the database, hope you making another video to address all my confusion
Already implemented. Check the playlist
@@BoualiAli i means to handle to refresh-token request in front-end
can you please do same thing in react
Sure, I will ASAP
a lot of thanks :)
Happy you liked it!
@Bouali. Please help us with password reset tutorial 😭😭
I will do that for sure
@@BoualiAli with jwt and using mail API please
comment modifier le code pour obliger l'utilisateur a toujours utilise l'authentification à 2 facteurs
Just set it to true
please show me where exactely @@BoualiAli
The Library Not Secure : Cx8fd408ac-dd80 8.1 Inclusion of Functionality from Untrusted Control Sphere vulnerability pending CVSS allocation
I will check it and update the code
Any update
Atualizou ?
i have a problem the token stored in local in angular is not the same token given by the spring boot, so I can't execute methode neither for admin or user
can you please make a video how to consume the methods from spring in angular with the authorities and all that
Already done. Check the angular vide
@@BoualiAli thank you
@@BoualiAli I have another problem when I register with 2fa I can't execute admin methods, I guess the problem is here:
if (request.isMfaEnabled()){
user.setSecret(tfaService.generateNewSecret());
}
var savedUser =repository.save(user);
var jwtToken= jwtService.generateToken(user);
var refreshToken = jwtService.generateRefreshToken(user);
saveUserToken(savedUser, jwtToken);
return AuthenticationResponse.builder()
.secretImageUri(tfaService.generateQrCodeImageUri(user.getSecret()))
.accessToken("") // here
.refreshToken("") //here
.mfaEnabled(user.isMfaEnabled())
.build();
i cant update it needs admin role: it works on springboot but it doesn't work on angular
com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Cannot construct instance of `org.springframework.security.core.GrantedAuthority` (no Creators, like default constructor, exist): abstract types either need to be mapped to concrete types, have custom deserializer, or contain additional type information
at [Source: (org.springframework.util.StreamUtils$NonClosingInputStream); line: 1, column: 403] (through reference chain: com.example.project_test.Entities.Etudiant["authorities"]->java.util.ArrayList[11])
Always BadCredentialsException in register after scan QR Code and insert code!
Start a debug session and you will find out.
I got it. the problem with a data time my computer (server tomcat).
Getting the same error... How did you solve it?
Check your o'clock in server, or date time in cellphone@@shreyanssethia7368
My code and secret is always giving false but everything is correcr is it the problem u mention how to correct it
Sir my qr image is not showing
post your error
Is this stateless?
Yes
🙌🙌🙌🙌🙌
✌️
I am building an free application to help senior high school or anyone thinking about returning to school to choose a major based on real-life experiences shared by others, in addition to their degree.
people will share experience about their degree and professional career to help others make informal decision.
I am not sure if people will want to download the app for two factor authentification.
I think will probably prefer email to send to their email address that they could be verify that way
What can I go about implement it sir ?
hey, i guess the sms way is more friendly
This approach has one fundamental logical error. This is one factor authentication because someone who has access to the phone with Auth App can get token via request "/verify" completely omitting "/authenticate" for example through the Postman application (password is not checked in "/verify"). You should add field "code" to AuthenticationRequest class and if user don't provide it (it's null) and have enabled 2FA then return information that he needs to provide code, if he send another request with correct user, password and code then we return access token.
Apart from that, the concept was nicely presented and it was good to watch. Good luck
Would you give your phone to anyone?
Would leave without a passcode?
@@BoualiAli This isn't about that. It's just not 2FA if you can authenticate and get token with just the code from your phone and no password. Other than that, it's a really nice guide. Don't take it personal :)
@@BoualiAli He is right. I checked this video because I made the similar mistake in my app and wanted to see how people solve it with JWT. The answer is you need two JWTs - one for a state "logged in with password, has not logged in with QR", and another for a state "logged in with QR". '/verify' endpoint needs only to be accessible by those with at least the former state
@@pjoter93 I'm curious as to what solution you think would fit this problem?
@@lightyear3429 in my first comment I described how I did it in my case :) and it's working great. In my app you can't turn on 2FA on register, but after login in settings like in facebook.
Worst video I ever seen
Here is the solution:
1- Unsubscribe
2- Go learn from somewhere else, you are not welcome here