Greetings to all you geeks out there! It's a pleasure to have you here at geekcoding101.com! With almost 20 years immersed in the vibrant world of Linux and security domain, I've encountered a myriad of tools and technologies that have shaped my journey. Today, I'm excited to introduce you OpenSSL and Certutil—two indispensable utilities that play pivotal roles in managing digital certificates and encryption. Whether you're safeguarding your web servers or securing communications, understanding these tools is crucial. I've distilled my insights and tips into this post, aiming to arm you with the knowledge to leverage these powerful utilities effectively. Enjoy! Openssl OpenSSL is an open-source software library that provides a robust, commercial-grade, and full-featured toolkit for SSL and TLS protocols, as well as a general-purpose cryptography library. It is widely used by internet servers, including the majority that implement secure web (HTTPS) connections, as well as in countless other security-sensitive applications. Here are some key aspects of OpenSSL: Core Features Query Information Query on Private Key: openssl rsa -in privatekey.pem -check Query All Information: openssl x509 -in certificate.pem -text -noout Query Subject: openssl x509 -in certificate.pem -subject -noout Query Validity: openssl x509 -in certificate.pem -dates -noout Query Purpose: openssl x509 -in certificate.pem -purpose -noout Example: Certificate purposes: SSL client : No SSL client CA : Yes SSL server : No SSL server CA : Yes Netscape SSL server : No Netscape SSL server CA : Yes S/MIME signing : No S/MIME signing CA : Yes S/MIME encryption : No S/MIME encryption CA : Yes CRL signing : No CRL…

Introduction JSON Web Tokens (JWTs) play a crucial role in web application security. In this blog, we walkthrough the concept of JWT, focusing on the different types of claims, the structure of a JWT, and the algorithms used in signatures, and finally I will implement JWT authentication from scratch in Node.js and Express.js. This is my 4th article in Auth101! It’s 2024 now! Looking forward to a wonderful year filled with cool tech updates, new tricks in cyber security, and a bunch of fun coding adventures. I can’t wait to dive into more authentication topics with you all 😃 Understanding JWT JSON Web Tokens (JWTs) originated as a compact and self-contained way for securely transmitting information between parties as a JSON object. Defined in RFC 7519, JWTs have become a widely adopted standard in the field of web security for their simplicity and versatility. A JWT is a string comprising three parts separated by dots (.): Base64Url encoded header, Base64Url encoded payload, and signature. It typically looks like xxxxx.yyyyy.zzzzz. Let’s deep dive into the three parts: Header, Payload, and Signature. Header The header typically consists of the token type and the signing algorithm, such as HMAC SHA256 or RSA. For example:{ "alg": "HS256", "typ": "JWT" } Payload The payload contains claims, which are statements about an entity and additional metadata. Claims are categorized into registered, public, and private claims. The later two are for custom claims. Public claims are collision-resistant while private claims are subject to possible collisions. In a JWT, a claim appears as a name/value pair where the name is always a string…

Brief Description The OAuth 2.0 authorization code flow is a secure and widely adopted method for obtaining access tokens to access user resources on behalf of the user. Steps Here's a summary of the steps in the authorization code flow: To clarify, in the authorization code flow, the authorization endpoint issues an authorization code to the client application upon user consent, not an access token directly. Why Authorization Code Flow Not Issue Access Token Directly? The OAuth 2.0 authorization code flow is designed to enhance security and minimize certain risks associated with transmitting sensitive information, such as access tokens, through the user's browser or mobile device. Here are some reasons why the authorization endpoint issues an authorization code instead of an access token directly: Overall, by issuing an authorization code instead of an access token directly, the OAuth 2.0 authorization code flow aims to improve security, reduce exposure to sensitive information, and provide a clear separation of concerns in the authentication and authorization process. Benefits of Authorization Code Flow

List of Grant Types Below is a table summarizing the different grant types in OAuth 2.0 along with brief descriptions and recommendations regarding their use: Grant Type Description Recommendation Authorization Code The most commonly used flow in OAuth 2.0. It involves the exchange of an authorization code for an access token. Suitable for server-side web applications and confidential clients. Recommended for web applications and confidential clients. Implicit Designed for user-agent-based clients (e.g., browser-based JavaScript applications). Access token is returned directly to the client without an authorization code exchange. Deprecated due to security concerns. Resource Owner Password Credentials Allows the client to exchange the user's username and password for an access token directly. Generally discouraged due to security implications and lack of federation support. Not recommended unless unavoidable legacy scenarios. Client Credentials Enables clients to directly exchange client credentials (client ID and client secret) for an access token. Typically used for machine-to-machine communication. Recommended for machine-to-machine communication. Refresh Token Allows clients to request a new access token without requiring the user to re-authenticate. It's not a grant type but rather a mechanism for obtaining new access tokens. Recommended for long-lived sessions and offline access. It's important to note that while some grant types may be deprecated or discouraged due to security concerns or lack of use cases, their applicability can vary based on specific requirements and use cases. However, it's generally recommended to adhere to best practices and use the authorization code flow whenever possible for enhanced security and flexibility. Is PKCE A Grant Type? No, PKCE (Proof Key for Code…

Introduction In this blog post, we will dive into HTTP Basic Authentication, a method rooted in the principles outlined in RFC 7617. It’s worth noting that, the RFC specification defines the use of the “Authorization” header in HTTP requests to transmit the credentials. The credentials are typically sent as a Base64-encoded string of the form username:password. It also describes how servers should respond with appropriate status codes (e.g., 401 Unauthorized) when authentication fails. Step 1: Setting Up the Node.js and TypeScript Environment Please refer to the steps explained in our previous blog post Password Authentication In Node.Js: A Step-By-Step Guide at Step 1: Setting Up the Node.js and TypeScript Environment. Step 2: Creating the Server usersData.ts In this file, we define a simulated database of users with their hashed passwords using bcrypt. Each user has a username and a password field. This file acts as our database for the sake of this example. The usage of bcrypt also has been explained in Password Authentication In Node.Js: A Step-By-Step Guide already. interface User { username: string; password: string; } const users: User[] = []; export default users; basicAuthMiddleware.ts This file contains the basic authentication middleware. The middleware is responsible for authenticating users based on the credentials provided in the Authorization header. It uses bcrypt to compare the provided password with the hashed password stored in the usersData.ts file. import { Request, Response, NextFunction } from 'express'; import { Buffer } from 'buffer'; import bcrypt from 'bcryptjs'; interface User { username: string; password: string; } const basicAuthMiddleware = (users: User[]) => async (req: Request, res: Response, next: NextFunction) => { try { const authHeader…

Introduction Password-based authentication remains one of the most common and widely used methods to verify user identity in various online systems. It involves users providing a unique combination of a username and password to gain access to their accounts. Despite its prevalence, password-based authentication comes with security challenges, as weak or compromised passwords can lead to unauthorized access and data breaches. In this blog, I will guide you exploring password-based authentication from an easy to medium level, implementing password hashing in a Node.js and TypeScript environment. By the end of this hands-on tutorial, you will have a better understanding of how Password-based authentication works in your applications. Step 1: Setting Up the Node.js and TypeScript Environment To get started, ensure you have Node.js installed on your machine. Create a new project folder and initialize it with a package.json file. Here is the steps to show what I’ve done on Mac: brew install npm httpie mkdir password-auth cd password-auth npm init -y npm install -g ts-node npm install body-parser bcryptjs express --save npm install @types/bcryptjs @types/express @types/body-parser --save Setting up the programming environment is no doubt crucial, but let’s be honest, it can be a bit daunting. In my tutorials, I will try to make sure not to leave you hanging. I love providing comprehensive explanations, even for the simple tasks or commands. Let’s make this setup process a breeze together! I genuinely hope you find it helpful and that it keeps you smoothly sailing through the tutorial 🤓 Let’s walk through above commands. ▹ 1. brew is the package manager for macOS…

Hey! In my career, I haven't spent much time on front-end programming. However, I had it now!It's a really exciting journey learning Angular/Karma/Jasmine and I feel like I will probably spent more time on it to gain more depth insights! Today's article is my learning journey on this, hope you will find it as a great tutorial ^^ Introductions Angular Testing Utilities Angular is a TypeScript-based free and open-source web application framework led by the Angular Team at Google and by a community of individuals and corporations. Angular is a complete rewrite from the same team that built AngularJS. Angular testing utilities provide you a library to create a test environment for your application. Classes such as TestBed and ComponentFixtures and helper functions such as async and fakeAsync are part of the @angular/core/testing package. Getting acquainted with these utilities is necessary if you want to write tests that reveal how your components interact with their own template, services, and other components. Ref Links Karma Karma is a tool that lets you test your application on multiple browsers.Karma has plugins for browsers like Chrome, Firefox, Safari, and many others.But I prefer using a headless browser for testing.A headless browser lacks a GUI, and that way, you can keep the test results inside your terminal. Ref Links Jasmine Jasmine is a popular behavior-driven testing framework for JavaScript. With Jasmine, you can write tests that are more expressive and straightforward. Here is an example to get started: Ref Links Steps Environment New An Angular Project The developers at Angular have made it easy…

Hi there! Welcome to geekcoding101.com! I have two decades years of working experiences on Linux. There are many things I have come across, but I want to say, building package for Linux is something you couldn't avoid at all in your work or study! I have summarized the steps/tricks in this article, hope you will find it useful! Enjoy! Create unsigned rpm I will first demonstrate how to create unsigned rpm. Create Folder Structure First step is creating folder structure. If you don't specify top_dir in ~/.rpmmacros (It's a config file), then it will use ~/rpmbuild by default Create SPEC file for unsigned rpm Now we can work on the spec file SPECS/rpm-no-sig.spec: Create a dummy source file for unsigned rpm Use a dummy py file to be packed into the rpm: rpm-helper-unsigned.py: Create a folder: mkdir <rpm-name>-<version> For example: Then put rpm-helper-unsigned.py under it. Then make gz file for the folder: You will get file rpm-no-sig-1.0.tar.gz. Move it to SOURCES folder. When building rpm, it will recognize this gz file and extract it automatically. Build rpm-no-sig.rpm Run command: rpmbuild -ba SPECS/rpm-no-sig.spec Example: You will get RPMS/noarch/rpm-no-sig-1.0-1.noarch.rpm Check MD5: rpm -Kv <rpm file> Example: Backup this rpm to somewhere else. Create signed rpm Create SPEC file for signed rpm The spec file SPECS/rpm-with-sig.spec: Create a dummy source file for signed rpm Use a dummy py file to be packed into the rpm: rpm-helper-signed.py. You can just reuse the one in above and change the print message accordingly. Create a folder: cd ~ && mkdir <rpm-name>-<version> Example: cd ~ && mkdir rpm-with-sig-1.0 Move rpm-helper-signed.py into the folder. Also create the gz file with same process. Example: You will…

Hi there! Today I'd like to share you my notes about tmux! Tmux is my favorite terminal multiplexer! Several years ago I didn't give a **it for people using it! Because I thought that might consume too much of my time to customize. However, one day I was free, then tested the water! I feel like I couldn't live without it in my coding environment! It likes Vim, the learning curve is steep, but once you're comfortable with it, you will addict to it! No more talking, let's dive into it! Introduction It’s tmux, a so-called terminal multiplexer. Simply speaking, tmux acts as a window manager within your terminal 1 and allows you to create multiple windows and panes within a single terminal window. Pane Shortcut Comment Pre % Splitting panes in left and right Pre " Splitting panes in top and bottom Pre <arrow key> Navigating in panes C-d Close panes Pre: swap-pane -s <sid> -t <tid> Swap sid pane to tid pane Pre z Make a pane go full screen, vice versa Pre C-<arrow key>Pre ⌥-<arrow key> Resize pane in direction of Windows Shortcut Comment Pre c Create a new window Pre , Rename current window Pre x Close current window with prompt and deattach Sessions Shortcut Comment Pre :new -s <name> Create a new session Pre C-c Create a new session Pre $ Rename current session Pre s, then x on the session Delete the selected session Configuration This is the folder of configuration: ~/.tmux. This is the configuratino file: ~/.tmux.conf Session Handling Search Pluggins I haven't explored much…

Hi there! This is yet another note from me ^^ This is for my notes about Docker. I've been dealing with container technologies for years, it's a good habit to dump all of my notes here. I hope you find this useful as well. Build Docker Image Method 1: Docker build Using dockerfile is the formal way to build a docker image. We can define the base image to pull from, copy files inside it, run configuration, specify what process to start with. You know I like using Django for projects, here comes a dockerfile from Cookiecutter: Method 2: Docker commit Another way is to use docker commit <container_id> <new_image_name>, it will create a new image based on your existing image in you docker local storage. Export/Import After we have docker images, we usually want to share it with other or transfer to another places, that's where export/import are used: Docker Registry Environment: CentOS 7.2 Setup Docker repository Install and enable docker-registry Verify docker-registry service Configure storage_path Update local storage path to your specific location in /etc/docker-registry.yml: Then restart: systemctl restart docker-registry.service Setup client to use the registry Update /etc/sysconfig/docker to add --insecure-registry your_ip_or_hostname:5000 as below: Push to the registry In order to have some images to push to the registry, let's pull from docker.io firstly: docker pull centos Please write down the IMAGE ID for the centos image If you push it to your own registry now, you will get error as blow: So you need to create a repo on your private registry then try to push again. To do that, you can tag a repo on your private…