Closed noredeen closed 3 years ago
I believe that we should go with option two and I have three reasons for why.
Yes, I'm leaning towards that too. That said, should we at all reauthorize with the GitHub API after a user has logged in via the web flow? Do you think it's enough to authenticate with GitHub the first time and then have our authentication system pick up from there?
Yes, I believe that it is enough. If we treat the GitHub authentication as if it were a tradition username password authentication system (which from my understanding we are) then this single login approach is the standard, trusted, convention.
At the end of the day, if we encounter a big problem with security down the road we can always change our system.
Okay guys so we've got a bit of a dilemma with our approach to authentication. Here is the situation:
First, I'll outline how GitHub expects we authenticate. We have 2 options with our GitHub authentication:
Also note that every authenticated user gets a maximum of 5000 requests per hour to the API.
My immediate reaction was to go with option 2 for better security (agree?). Although we are storing the user in our database, we may still need to ping the API for every request because if we don't, then if the user was kicked from the organization, they would have a brief window (until we reauthenticate via the API) to access the Codeprentice site like normal. What this means is that having our own JWT workflow (separate from GitHub's) is muddy, because it needs to be synced with the status of the GitHub tokens.
But the other issue is the API rate limit. If a user keeps refreshing a page that needs authentication and does so 5000 times, they will get rate limited assuming we authenticate on page load.
So the question is: do we solely rely on the tokens from GitHub and ping their API every time we want to authenticate? Or do we introduce our own JWTs to offload some of the traffic? Are there certain critical actions that we must always immediately reauthorize/reauthenticate directly with GitHub?