Closed nichtich closed 5 years ago
I added local authentication via passport-local. The users are written directly to providers.json
, and bcrypt is used for hashing/salting the password. I also added a script to manage local providers and their users that allows creating/deleting providers/users (and hashes the user's password). Is this enough for this issue?
I'm not happy with supporting local users because it makes it more difficult to convince use of ORCID, SAML, or other identity providers, but anyhow...
We don't have to advertise that to the end users. We added it for a fairly specific use case and it should stay that way.
For testing purpose and small controlled lists of accounts. Requires rate limiting and encryption of passwords. I'd use passport-local-htpasswd for simplicity because
.htpasswd
files are well-known and because its made clear they are only for authentification (no additional user information).