search

panictriggers / scolix-web

Scolix REST API
GNU Affero General Public License v3.0
1 stars 0 forks source link

How do we want to manage authentication and sessions? #1

Open J0eppp opened 3 years ago

J0eppp commented 3 years ago

How do we want to manage authentication and sessions?

Authentication

We have our own authentication system

People can log in on our site with their username/email and password and everything is stored in our database.

Pros

  1. Everything follows our privacy policy.
  2. We do not depend on another service.

Cons

  1. We have to manage the security by ourselves but we are no professionals

We use (an)other service(s) in order to authenticate users.

We use the ouath2 protocol and another service (or multiple services) like Google in order to authenticate users.

Pros

  1. We just have to use an oauth2 library and we are good to go.
  2. They have to manage the security issues because it is their service.
  3. They are better at security than we are.

Cons

  1. The service we would be using might have a difference privacy policy than we do which is not wanted.
  2. We depend on another service or multiple services.

Suggestions??

Sessions

Where do we want to store the session token?

Cookie

Store the session token in a cookie.

Pros

  1. You can add an "expires" property to a cookie which makes sure the cookie is not used after the session expired.

Cons

Does this have any cons over the other methods?

LocalStorage

Store the session token in the localstorage of the browser.

Pros

Does this have any pros over the other methods?

Cons

  1. This might not be supported in some very old browsers.
  2. localStorage does not support an "expires" property like a cookie does (see Cookie -> pros -> 1), however you can implement a workaround.

Suggestions??

J0eppp commented 3 years ago

@hugopilot suggestions?

showengineer commented 3 years ago

I'd say allow both. Some organizations like to sync accounts with certain services (like Active Directory, etc)

So that would mean allowing people to 'link' their account to a certain service.

J0eppp commented 3 years ago

I'd say allow both. Some organizations like to sync accounts with certain services (like Active Directory, etc)

So that would mean allowing people to 'link' their account to a certain service.

So the main way of logging in would be through our system, but they are able to link their account to let's say their Microsoft (school) account etc.?

J0eppp commented 3 years ago

Sessions

Sign session tokens using JWT? How long should a session last? 24 hours seems too long, 1 hour might be a little bit short, maybe 6 hours? And reset the timer every time the user loads a page? @hugopilot

showengineer commented 3 years ago

I'd say allow both. Some organizations like to sync accounts with certain services (like Active Directory, etc) So that would mean allowing people to 'link' their account to a certain service.

So the main way of logging in would be through our system, but they are able to link their account to let's say their Microsoft (school) account etc.?

Correct