Open sirkitree opened 3 years ago
@mralext20 has done some preliminary work around authentication here: https://github.com/mralext20/kanban#auth0-server-setup
I'm not sure how much of that is useful for this project's purpose, but worth looking over.
I'm not too familiar with doing things securely in Neos, but I have read that storing data securely is very difficult, especially if it's in a not-locked-down world.
Is there any way to verify a request as coming from a specific Neos user? I'm wondering if users can send their access credentials to the middleware in a secure context, the middleware stores the credentials associated with that particular user, and they can later be used from a non-secure world. But if there's no way to even verify which Neos user a request is coming from, that wouldn't work.
https://github.com/Frooxius/NeosPublic/issues/785 has mention of ways to do account assurance, however these are not implemented.
Currently I'm hardcoding this in the local config.js, but I think in Neos we'd want it to be passed in from Neos into a publicly running instance. This would make sure that no one needs to download this repository and run it locally, or put it up on a server themselves with their key. That also means passing along the token from GitHub from Neos.
How can we do this securely?