search

FoalTS / foal

Full-featured Node.js framework, with no complexity. 🚀 Simple and easy to use, TypeScript-based and well-documented.
https://foalts.org/
MIT License
1.88k stars 137 forks source link

Remembering users? #525

Open OrkhanAlikhanov opened 4 years ago

OrkhanAlikhanov commented 4 years ago

Although the framework provides authenticating and fetching user from database, it seems to miss remember me functionality. Would be great if there was a built-in way to do this.

Laravel provides a layer called Auth for authenticating user and dealing with its state even permission gates. Again, I am not forcing anybody to follow laravel in every step, but there are proven benefits on their abstraction. Checkout these: https://github.com/laravel/framework/blob/5.8/src/Illuminate/Auth/ https://laravel.com/docs/5.8/authentication#remembering-users https://laravel.com/docs/4.2/upgrade#upgrade-4.1.26

LoicPoullain commented 4 years ago

This is a valid issue. Thank you for raising it!

I'm moving this to the To-Do list.

In the meantime, it is possible to simulate a "remember me" feature that will apply to all users by extending the timeouts values (for example by specifying a year as value): https://github.com/FoalTS/foal/blob/master/docs/authentication-and-access-control/session-tokens.md#session-expiration-timeouts

scho-to commented 1 year ago

Hello @LoicPoullain,

I looked into the docs already, to think about an implementation to this feature. Yet, you can choose to set timouts using this guide in the docs: https://foalts.org/docs/authentication-and-access-control/session-tokens#session-expiration-timeouts

So for this feature, in the process of saving the user to the session: ctx.session.setUser(user) there needs to be another parameter, like a boolean "rememberMe". If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.

Or do you already have another Idea, how to implement such a feature?

LoicPoullain commented 1 year ago

Hi @scho-to 👋

If this get's set to true, at least the "absolute timeout" needs to get set to a predefined (by config ?) value.

This issue is more complex. One way to implement the remember me feature would be simply to increase bother idle and absolute timeouts to a value further in the future. But this involves some security concerns as authentication tokens should have a short lifetime.

There is a big study to be done here that involves studying the OWASP recommendations and the state of the art in other web frameworks.