JasonLovesDoggo
commented
7 months ago no authproxy. we do not need an extra service
Open nyiyui opened 7 months ago
JasonLovesDoggo
commented
7 months ago no authproxy. we do not need an extra service
nyiyui
commented
7 months ago Agreed... I would've loved writing security-critical code in RISC assembly, though! (just kidding)
nyiyui
commented
7 months ago /cc @Trentiumz @mars-flat as client and app leads
JasonLovesDoggo
commented
7 months ago Agreed... I would've loved writing security-critical code in RISC assembly, though! (just kidding)
I don't trust your "secure" code.... you've printed passwords & allowed anyone to bypass all authentication on api 😨
nyiyui
commented
7 months ago That's true! I'm sure I've learned lessons from them, and 90% sure I won't make those mistakes again (by staying away from security code...)!
JasonLovesDoggo
commented
7 months ago That's true! I'm sure I've learned lessons from them, and 90% sure I won't make those mistakes again (by staying away from security code...)!
to anyone reading this in the future... ken is a very trustworthy and cool person!!! HIRE THEM (and me too pls I'm probably struggling and jobless.....wow look at my cool contribution history)
Currently, the app and React-based client uses the
/api/auth/tokenendpoint with a username+password pair to login the user./api/auth/tokenrelies on JWTs (pros/cons listed below), andPros to
/api/auth/token/api/auth/token:/api/auth/token, Django (web+admin), OAuth/OIDC-ish)Two ways to move forward:
Authentication Proxy Server
app and client uses a authentication proxy server (authproxy) (have to check if this is secure) with Resource-Owner Password (ROP) flow. authproxy is required to make OAuth client confidential. Pros:
Migrate to OIDC
app and client migrates to OIDC (no ROP flow) Pros: