Auth code

[html5cat]

Awesome sample app! Do you plan to implement the full auth flow? What's a good resources for the current best practices around serverless auth?

Thanks!

[brianleroux]

fyi I did start looking at this! you can send an sms with AWS SNS pretty easily…

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SNS.html#publish-property

[filmaj]

I found this blog post pretty helpful: Strategies for implementing user authentication in serverless applications. It describes a few different kinds of authorization flows/examples for use in serverless apps. JWT via this API Gateway + Lambda 'authorizer' thing (which will cache auth info for a preconfigured duration - perfect for session management) sounds promising, though AWS currently has a one-hour maximum session time (just fine for my purposes). Hooking in Auth0 into it sounds doable too. Here's their example repo: a-crash-course-on-serverless-auth.

Here's another blog post about setting up authorizers for API Gateway + Lambda: API Gateway Custom Authorization with Lambda, DynamoDB and CloudFormation.

One more for inspiration: Serverless Authentication with JWT

I'm going to see if I can make some of this work with this example repo.

[brianleroux]

JWT based sessions are fine but less secure than a signed httponly session cookie (which comes by default in Architect). We don't really support custom authorizers tho ppl ask about them. A shared module on routes you want to secure would do the same thing without putting two lambda invokes in front of every request. How you verify an identity is up to you. Any oauth flow: sign in with slack, github oauth, or custom login flows are all easy. Rather than forcing one of these solutions we give you a session and leave the identity part up to the app implementer.

One could add an identity provider with some ease like cognito, auth0 or netlify identity …but to me the integration work would not be significantly different than completely owning your account model and implementing your own flow (registration, etc).

We need to write more and better docs about doing these things rather than just saying them. Would an example app doing Sign in with Github help?

[ryanblock]

Follow-on for color: in doing some work building our GitHub Apps integration (which uses JWT) I was able to pretty quickly get things rolling with Architect + Lambda + jwt-simple, no authorizers necessary.

However, as a caveat, I was doing that work completely statelessly, requesting a new token with each task. This worked for our purposes because it was on relatively infrequent actions (and JWT issuance tends to be so fast), but may not be desirable at scale.

The good news is dropping a JWT into a DynamoDB table with a TTL set to the token's payload.exp should be fairly trivial.

[filmaj]

I'm not sure "putting two lambda invokes in front of every request" is accurate - it sounds to me like the authorizer lambda only gets invoked on the first (un-authenticated) request, after which that auth/session state is cached on AWS' end. To me that sounds like one extra lambda invoke per session, but with the bonus that that saves you from having to manage sessions completely. That sounds more efficient. What do you think? One extra lambda invoke per session, but get to turf using dynamo as session management entirely.

Also: yes a more expanded example/guide would be super helpful :D

[html5cat]

@brianleroux yeah, definitely an example app with GitHub login or more broadly how you'd build an auth system with email from scratch would be awesome. Permissions, data access and such is pretty similar in most apps once you figure it out.