Closed RootCubed closed 4 years ago
Instead of making API requests with the credentials of the user, I could just verify that the credentials are correct, but keep grabbing data with my own ones. This would minimize the possibility of being able to access the user's credentials, because they would never be saved. The disadvantage is that if the service becomes used a lot, it could be classified as abusing the API since all the requests are coming from my account, not from the people actually using it...
Currently, only one API token per user exists. If I want multiple devices to be able to login at the same time, I'd either have to extend this to multiple API tokens, or give out the existing one multiple times.
I believe the authentication process is secure enough for the moment. The passwords are used for one request only, to see if they can login, after which the password is discarded. I will close this issue now and open another one for filtering out personalizing information from /timetable and /resources.
This would include:
Viewing images of people
Viewing class lists (includes seeing instrumental lessons in the timetable)
Filter out personalizing information from /getClass/
[x] Figure out a way to store students' passwords securely
[x] Finalize the login form
[x] Create login API
[x] Secure existing endpoints
[x] Make sure that everything is as secure as possible