Token-Based Authentication #28

Closed
opened 2020-09-17 23:42:35 +02:00 by delvh · 1 comment

At the current point, people who have access to run configurations are the only ones who can automatically log-in.
While you could write your own Bash function that supplies the command line arguments, most users will not know about that option yet.
So, we need a mechanism so that even normal humans can log-in without always having to see the login scene.

At the current point, people who have access to run configurations are the only ones who can automatically log-in. While you could write your own Bash function that supplies the command line arguments, most users will not know about that option yet. So, we need a mechanism so that even normal humans can log-in without always having to see the login scene.
delvh added this to the v0.2-beta milestone 2020-09-17 23:42:35 +02:00
delvh added the
client
label 2020-09-17 23:42:35 +02:00

Obviously, we cant just save the users login credentials somewhere on his machine. The current autologin mechanism through the config is just a utility for developers, because passing a password to an application as a commandline parameter is highly insecure.

Instead, the server could generate an authentication token after a successful login, which can then be used to log in that user for a certain amount of time. On subsequent logins, the client can send just the token, which can be stored on the users machine.

While this is the standard way of persisting a users authentication on a machine, we might get a problem with local database encryption, as the password might not entered on application startup and the token is saved unencrypted.

Once this is implemented, we can ditch the current autologin mechanism, as token based authentication can also be used during development.

Obviously, we cant just save the users login credentials somewhere on his machine. The current autologin mechanism through the config is just a utility for developers, because passing a password to an application as a commandline parameter is highly insecure. Instead, the server could generate an authentication token after a successful login, which can then be used to log in that user for a certain amount of time. On subsequent logins, the client can send just the token, which can be stored on the users machine. While this is the standard way of persisting a users authentication on a machine, we might get a problem with local database encryption, as the password might not entered on application startup and the token is saved unencrypted. Once this is implemented, we can ditch the current autologin mechanism, as token based authentication can also be used during development.
kske added the
L
server
labels 2020-09-18 08:50:53 +02:00
kske added a new dependency 2020-09-18 08:55:13 +02:00
kske changed title from Autologin mechanism to Token-Based Authentication 2020-09-18 09:58:51 +02:00
kske self-assigned this 2020-09-18 09:58:56 +02:00
kske started working 2020-09-18 09:59:02 +02:00
kske stopped working 2020-09-18 10:28:23 +02:00
29min 21s
kske removed a dependency 2020-09-19 13:55:57 +02:00
kske closed this issue 2020-09-19 14:31:02 +02:00
This repo is archived. You cannot comment on issues.
There is no content yet.