victorbalan
commented
8 years ago We will soon have token based auth. This is used now so we can work on integrating the new backend.
Open lorenzleutgeb opened 8 years ago
victorbalan
commented
8 years ago We will soon have token based auth. This is used now so we can work on integrating the new backend.
victorbalan
commented
8 years ago i will do this asap
lorenzleutgeb
commented
8 years ago Cool!
By merging this we now save the user password in LocalStorage. AFAIK we did not do that beforehand, anyway it is way less secure: Tokens expire automatically, a password does not. It also is prone to side-channel attacks on obtaining the user's password.
We should only save tokens, and we should only save them in an HTTP(S)-only cookie, that's why I implemented
PUT /cookieearlier. We're stepping back in security hugely here.CC: @victorbalan