pilcrowOnPaper
commented
2 months ago I don't see how this is a feature request?
Closed veebull closed 2 months ago
pilcrowOnPaper
commented
2 months ago I don't see how this is a feature request?
Package
lucia
Description
Overview: I want to implement Lucia as an authentication method with only username and telegram_id. Both username and telegram_id are potentially known properties for anyone. However, it seems very convenient to utilize them within a Telegram mini-app as an authentication method since the user is already authenticated by the Telegram app. Cookies are very effective for maintaining authentication sessions.
Some Details: In the Telegram mini-app, I plan to utilize a verification hash to ensure that the web app is running within Telegram. This measure aims to protect against certain security vulnerabilities.
Implementation Dev kit is Lucia and drizzle, when user is open telegram mini app, which is potentionally an url with website, bot send as params telegram_id, username and temporary_hash. Then in background i authentificate it via lucia using only telegram_id and user get access for their data.
Concerns: I'm curious about the potential security vulnerabilities associated with this authentication method. Are there any significant risks or considerations I should be aware of?
Alternative Approach: Alternatively, should I always generate a password for every user in my database? Would this be a more secure approach compared to using username and telegram_id for authentication?