Change user authentication method from simple JWT tokens

philipwilsonchang / yanb

Envelope-based budget monitoring web application

0 stars 0 forks source link

Change user authentication method from simple JWT tokens #6

Open philipwilsonchang opened 4 years ago

philipwilsonchang commented 4 years ago

Options:

passwordless
SSO (login with apple, etc.) - only use privacy focused methods
???

philipwilsonchang commented 4 years ago

Passwordless (email) seems to be the best option for maintaining user privacy by reducing links to established social/banking accounts. Breaking into a user's account requires breaking into a user's email account. Keep emails as hashed entries in db. When user logs in, hash email and check for a match. If match, send magic email. If no match, create account and send magic email. REQUIRE CAPTCHA

philipwilsonchang commented 4 years ago

Big weakness of passwordless is the varying security of email protocols. Very possible that emails with login tokens can be intercepted by adversaries.

philipwilsonchang commented 4 years ago

Enhancing JWT authentication: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/

philipwilsonchang commented 4 years ago

Firebase: https://github.com/firebase/firebaseui-web