JasonLovesDoggo
commented
10 months ago no authproxy. we do not need an extra service
Open nyiyui opened 10 months ago
JasonLovesDoggo
commented
10 months ago no authproxy. we do not need an extra service
nyiyui
commented
10 months ago Agreed... I would've loved writing security-critical code in RISC assembly, though! (just kidding)
nyiyui
commented
10 months ago /cc @Trentiumz @mars-flat as client and app leads
JasonLovesDoggo
commented
10 months ago Agreed... I would've loved writing security-critical code in RISC assembly, though! (just kidding)
I don't trust your "secure" code.... you've printed passwords & allowed anyone to bypass all authentication on api 😨
nyiyui
commented
10 months ago That's true! I'm sure I've learned lessons from them, and 90% sure I won't make those mistakes again (by staying away from security code...)!
JasonLovesDoggo
commented
10 months ago That's true! I'm sure I've learned lessons from them, and 90% sure I won't make those mistakes again (by staying away from security code...)!
to anyone reading this in the future... ken is a very trustworthy and cool person!!! HIRE THEM (and me too pls I'm probably struggling and jobless.....wow look at my cool contribution history)
Currently, the app and React-based client uses the
/api/auth/tokenendpoint with a username+password pair to login the user./api/auth/tokenrelies on JWTs (pros/cons listed below), andPros to
/api/auth/token/api/auth/token:/api/auth/token, Django (web+admin), OAuth/OIDC-ish)Two ways to move forward:
Authentication Proxy Server
app and client uses a authentication proxy server (authproxy) (have to check if this is secure) with Resource-Owner Password (ROP) flow. authproxy is required to make OAuth client confidential. Pros:
Migrate to OIDC
app and client migrates to OIDC (no ROP flow) Pros: