sivaraam
commented
4 years ago This sounds curious. It would be nice if the description could be elaborated to add what exactly is going to be added 🙂
Open madhurgupta10 opened 4 years ago
sivaraam
commented
4 years ago This sounds curious. It would be nice if the description could be elaborated to add what exactly is going to be added 🙂
madhurgupta10
commented
4 years ago @sivaraam @misaochan We realised that there is a need to authenticate the user when a certain operation like update avatar is performed, currently, there is no authentication and anyone can spam the API and change the avatars of any user.
We can't use Wikimedia Account authentication since it needs a username and password combo.
So the best method would be to generate a JWT using a secret key (only available to admins) locally for the user who's session is active on the app and instead of sending the username we can send the token and API will decode it to get the username.
sivaraam
commented
4 years ago Ok. IIUC, you're about to add authentication to the API to avoid bogus updates done outside the app. That sounds nice. I do have a doubt,
We can't use Wikimedia Account authentication since it needs a username and password combo.
I'm not really sure but wouldn't OAuth authentication help us here?
So the best method would be to generate a JWT using a secret key (only available to admins) locally for the user who's session is active on the app and instead of sending the username we can send the token and API will decode it to get the username.
Is this process transparent? IOW, would the user have to generate the token manually or would it be done automatically? If done automatically, how would the secret key be kept secret?
madhurgupta10
commented
4 years ago @sivaraam
I'm not really sure but wouldn't OAuth authentication help us here?
I am not sure, I read the docs on Wikimedia Authentication and we can't use it for this use case. If you have any idea on the implementation using Wikimedia auth do let me know.
Is this process transparent? IOW, would the user have to generate the token manually or would it be done automatically? If done automatically, how would the secret key be kept secret?
The way I plan to implement is we have a JWT token generated with username as payload init, we sign this token with a secret, On the app side, we generate this token automatically when the task is performed, the app will use the secret (kept in a config file, only available to admin).
on the server-side, this secret is inside the environment config file and we use it to decode and verify the token and thus verify the user.
misaochan
commented
3 years ago AFAIK we are not able to use OAuth. See https://phabricator.wikimedia.org/T179519
Summary: Add Authentication to Leaderboard Avatar Update