search

SimplQ / simplQ-backend

SimplQ backend, written in Java for AWS
https://simplq.me
GNU General Public License v3.0
17 stars 27 forks source link

[Security] Implement Authentication #13

Open daltonfury42 opened 4 years ago

daltonfury42 commented 4 years ago

In the current system, anyone with queueID can become the admin. For example, anyone with the queueID can send requests to the backend directly, and say, remove people from the queue.

The right real issue here is that we don't authenticate users. The proper solution to this is to implement authentication

daltonfury42 commented 4 years ago

Some updates:

The aim is to sign up users anonymously when they first visit the site. This happens in the background. I am just exploring how Cognito can help us with auth.

Client Side

Currently, on first visit, a userId and tempKey is generated and stored in the local storage. This is used to create an account for the user in the Cognito User Pool.

We also log in using the key and id, and then send a JWT token along with each request to the backend.

The changes are done, and is working on my local, some AWS related setup to deploy this to dev UI are pending.

Backend Side

The backend can use the token to identify the user. So as a next step, the user id of all queues (and queue joining) can be stored in the db.

This would enable us to list all queues that a person has created.

Concerns

We are still vulnerable to MITM. Have to look more into this. https://stackoverflow.com/questions/34259248

daltonfury42 commented 4 years ago

Progress: UI directly connects to Cognito, and gets a JWT, which it sends with all requests. At backend, the token is verified, and the userid is extracted and stored into the DB against each queue/token created, in the field ownerId.

Half the endpoints are secured, just have to verify and add checks to remaining endpoints, mostly at token side. For example, when removing a token, we have to throw Access Denied unless the user who requested is the token creator or the queue creator.

daltonfury42 commented 4 years ago

https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/

The article says not to use the access_token for authentication. And we are doing that. 🤔

@nirmalkv

daltonfury42 commented 4 years ago

Confused... Have to figure it out...

https://auth0.com/docs/protocols/oidc#access-tokens

daltonfury42 commented 4 years ago

As per discussion with @thehamzarocks, we need to anyway use the client ID token and not the access token here: https://github.com/SimplQ/simplQ-frontend/blob/master/simplq/src/services/auth.js#L6

thehamzarocks commented 4 years ago

Yes. In addition, we should also check that the aud of the token matches the client id being used.

daltonfury42 commented 4 years ago

@thehamzarocks So you are using google sign on directly in Brainylog. We want the use to use the app for as long as he wants without getting the user to login. Is this possible... ?