paulmillr / ostio

Your open-source talks place.
http://ost.io
247 stars 44 forks source link

Implement new auth #12

Open maelp opened 12 years ago

maelp commented 12 years ago

I see that the only thing you need to authenticate to the server is the auth token that does not change between session? therefore, if someone gets the auth token he can steal an user's identity no?

wouldn't it be safer to use one-time session tokens that expire after a while? this would prevent 'remember session' features, however, and would possibly also prevent multiple concurrent device use (eg accessing the server at the same time using desktop and mobile), except if you create a kind of 'valid session tokens list' holding all the currently valid session tokens.

are there any best practice for API design?

paulmillr commented 12 years ago

You're right, if someone will get user's token, he'll be able to post as user. I consider api tokens as a passwords, users shouldn't give it to random strangers.

Session tokens don't solve the security problem, they just add much more complexity.

Current way isn't very cool, I plan to make api.ost.io a real OAuth2 provider. So ost.io would be consumer application with token, local to app. Some imaginary application #2 would be consumer app with different token. User would be able to see token actions history and current authenticated apps in his personal cabinet. I think this would solve problems.

maelp commented 12 years ago

Cool, I'm actually trying to build a heroku framework based on a brunch, chaplin&flask stack so I'm using parts of your brunch-with-chaplin and ost.io code as an inspiration, since I want to develop a basic but secure and functional framework I'd be happy to work with you on the oauth2 implementation

paulmillr commented 12 years ago

sure, i'll ping you when i'll start new auth system.