Offline multi-user authentication

hoodiehq / hoodie-client

:dog: Client API for the Hoodie server

Apache License 2.0

34 stars 25 forks source link

Offline multi-user authentication #172

Open ghost opened 4 years ago

ghost commented 4 years ago

Hi all,

At the risk of asking a duplicated question, does anyone have a flow using Hoodie that allows for offline multi-user authentication?

I am developing an app that needs to allow a user in when they are offline, and I'm just wondering how best to do this?

The flow I have at the moment in my head is:

A new user signs up. This will only ever work when online
The new user signs into the app (still online). Hoodie does its thing and returns some token/cookie which then gets stored on the device / backend DB.

Next day

user signs into the app again. Hoodie checks the connection state, sees that we are offline, and therefore uses the saved user token and lets the user in. If no token exists, of the token is invalid, the user is denied.

My questions with this though are:

Should I be storing a token on the client or in a DB on the backend?
How does Hoodie authenticate the token is valid / not expired / password correct / user exists etc. when offline?

Thanks Peter

gr2m commented 4 years ago

If the user does not sign out between step 2 & 3, there should be no problem, the user remains signed in. Hoodie does store the authentication in the client, so it is persisted between page reloads.

We had ideas about allowing for offline sign outs which out somehow securely encrypt your data. Then you can sign in again offline which would decrypt your data. That would be great as a default anyway, because it would greatly speed up signing in, as it would not require the full data bootstrap after sign in, only the changes since your last local sign out.

ghost commented 4 years ago

OK cool. This makes sense to me. I've been investigating how to use services like Auth0, but they don't really seem to support authentication when the user is offline.

What do you suggest for security though? Given the username / password will technically be stored in a DB located on the client (i wish I could do it another way), as well as the data, is there nodejs plugins that encrypt/decrypt data in a pouchdb/couchdb?

gr2m commented 4 years ago

Password is never stored, only a hash, and only in the database. In the browser we only store the session ID.

There is something called crypto couch or similar, but I haven’t worked with it myself.

ghost commented 4 years ago

that's great. is it just SHA-256, or does hoodie employ something like PBKDF2?

Just trying to decide if i just let Hoodie be awesome, or if i write a plugin to implement a stronger salt + hash algorithm.

My app will be storing medical records, so I want to make it as strong as possible for authentication, and implement some sort of DB encryption.

thanks for your help

gr2m commented 4 years ago

Hoodie is delegating authentication to CouchDB, it's using PBKDF2 by default if I recall correctly.