Closed F0urchette closed 3 years ago
Here are the observations that led me to the conclusion that personal access tokens should be used for authentication :
client_id
and client_secret
necessary for the authentication. However, the client_secret
must absolutely be kept secret and therefore cannot be stored anywhere but on a serverclient_id
and client_secret
. But this login method is not usable with users with double authentication enabled, and it is instead recommended to use the login method with personal access token.
To do this, we just need to tell the user how to create this personal access token, point him to the creation page and ask him for the key. Simply use this key in the requests to the API as an access token.Finally, the question of the user session comes up. It seems to be a problem to ask the user to enter the personal access token for each connection. It would be necessary to be able to store it somewhere (_on a secured place, therefore a server) to keep the user session alive.
So the decision is to store the token in the local storage. Here are the sources :
What are the options to store the token ?
Why local storage is unsafe ?
Why it's ok to use local storage even if it's unsafe ?
Here is the beginning of an open-source alternative to Firebase, especially with the cloud functions that is in progress : https://supabase.io/
Description
We need to see how to connect with a Gitlab account without using firebase (which is not available for this forge). To do so, we will have to use the REST API
Hints