Closed infinisil closed 2 years ago
I see the demo server more as extended documentation, rather than a template for production. Fixing the session issues would make it larger and less focused on illustrating proper usage of haskell-fido2.
What do you think of adding a readme.md for the demo server with a list of caveats instead?
@lykahb I think it would be valuable to have this because:
I guess regarding complexity, both the current way and the proposed way have some, but it took me a lot of time to understand the current code, and I believe it would be a lot easier to understand with the proposed way.
@Infinisil I completely agree that the current code in the demo is complex and takes a lot of time to understand. I see the current state as an awkward one between a minimal server that only illustrates the usage of the library (ignoring the rest of user management), and a ready-to-use template. It has too many other things going on to be the former, and is not solid enough to be the latter.
In my last comment I had the former case in mind. But evolving it in either direction would be an improvement. If this change simplifies it too, that'd be great!
I just took a good look at the whole problem of session storage, here's some notes:
[The challenge] MUST be randomly generated by Relying Parties in an environment they trust (e.g., on the server-side), and the returned challenge value in the client’s response MUST match what was generated.
This SHOULD be done in a fashion that does not rely upon a client’s behavior, e.g., the Relying Party SHOULD store the challenge temporarily until the operation is complete.
Work is in progress for this to be fixed in #42
Done with above PR
As mentioned in #34, the demo server currently has some problems which make it unsuitable to copy from for an actual website server:
We can fix this by: