Closed ndaidong closed 1 year ago
To answer your second bullet point, It is safe because user pairs are only stored in sessionStorage when a user is authenticated and is removed from sessionStorage when the user exits that session or signs out. Anyway, sessionStorage is specific for each website a user visits so I don't know how someone with malicious intent would access someone's sessionStorage anyway.
@BrendanDN I understand how sessionStorage works, but privatekey is very sensitive data, similar to password in the raw. I would like to know if any better approach provided by Gun that I missed. If not, I may need to implement another user management system by myself with native web crypto.
@ndaidong I am afraid to say there are no other approaches provided by Gun, but a malicious attack on a user's sessionStorage would have to be extremely targeted, but I do understand it is better to be safer than sorry.
Hi everyone,
I am trying to apply this library to my project, but I have some questions as follows.
When I call
user.delete
, it says:If so, what is the correct way to remove user now?
user.recall
allows the app automatically authenticate by savingsea.pair
into sessionStorage, which includespriv
andepriv
. Is this really safe for end-user? Withoutrecall
, user has to enter username/password every time he/she reloads webpage. Any alternative approach?As my app stores user token into localStorage, so user can close browser, shutdown laptop at the night, and resume in the next morning without entering password. How I can keep this behaviour with Gun?
Thank you.