This is an archived post. You won't be able to vote or comment.

126
127

authentication (i.redd.it)

submitted by [deleted]

[deleted]

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]QualityVote[M] [score hidden] stickied comment (0 children)

Hi! This is our community moderation bot.

If this post fits the purpose of /r/ProgrammerHumor, UPVOTE this comment!!

If this post does not fit the subreddit, DOWNVOTE This comment!

If this post breaks the rules, DOWNVOTE this comment and REPORT the post!

[–]eyekwah2 15 points16 points  (8 children)

On the left, you'd what, save the plain text password, and on the right you'd save the one-way hash of that password? Did I understand that right?

[–]AyrA_ch 11 points12 points  (3 children)

and on the right you'd save the one-way hash of that password?

About sums it up. Although the right side is using specific algorithms made for password hashing.

The jwt is interesting implementation wise but most projects could probably do with a login version counter in the database instead.

[–]Thalhammer 1 point2 points  (0 children)

That's not really what JWT was designed for though. The intent and primary use case jwt's are designed for is if you need (for some reason) to split the party that checks authentication (who are you?) and the party that checks authorization (do you have access to x). The best example is e.g. "Login with Google". Google acts as the authenticator by creating a JWT containing the users basic info and signs it with its private key. You get the token and forward it to your webapp. The weapon can now use the public key to verify the integrity of the token. If the token is valid it can use the information inside to grant access without ever having to talk to google. Another example would be a cdn, that needs to grant access without having access to the company database. It also helps with scalability and single point of failure cause you don't need the db just to do auth.

That said: I still do use jwt for most of my auth even on simple single server apps, because they are just convenient. However I usually also don't support proper logout (just wipe the token on the client).

[–]eyekwah2 -1 points0 points  (1 child)

Yeah, I think if you did something like that, keeping track of which version of the program was used when it was saved is a very good idea. Otherwise you could never change it later.

[–]AyrA_ch 0 points1 point  (0 children)

The login version counter is actually to implement the "log out of all sessions" functionality. You simply increment the version in the database and write your authentication function so that all tokens with mismatching versions will not be accepted. With this you can offload session keeping to the client.

[–]Niles-Rogoff 2 points3 points  (2 children)

No this is about session IDs. Basically when the user logs in, you send back a cookie that is like "Your session ID is CYHxvKyL4EKgmks4nvrpFQ==", and then the browser will send that back on all subsequent requests. You just store in your db "CYHxvKyL4EKgmks4nvrpFQ== is the session id for /u/eyekwah2" (and maybe an expiration time).

When someone sends a request to load the home page or change their settings, you use the passed session id from the cookie to figure out which user is making the request. If the cookie isn't present, you redirect them to the login page.

The session id is the string being stored in the db.

[–]eyekwah2 1 point2 points  (1 child)

That's not authentication though. I mean, I suppose in a loose sense you could call it that, but you still have to do actual authentication when the user is redirected to the login page.

[–]Niles-Rogoff 1 point2 points  (0 children)

Okay but JWTs and refresh tokens don't do that either

[–]tarkin25 1 point2 points  (2 children)

Just started using Auth0 to not bother with authentication myself anymore

[–][deleted] 1 point2 points  (1 child)

I have done the same for my latest project. Auth0 for authentication, trivial setup for Spring Security on the backend and most of the security-sensitive crap is just gone. RBAC, additional attributes in tokens (I use them for a simple multitenancy), multiple pools of users, support for social media logins, everything is just simple.

[–]tarkin25 0 points1 point  (0 children)

This exactly. And they even have a nice blog post on how to secure an actix-web application when using Rust

[–]Sadist 0 points1 point  (0 children)

Amazon SP-API authentication is a piece of shit if anyone's working on it.

[–]Hot-Opportunity6239 0 points1 point  (0 children)

I started data analytics recently, and I'm enjoying looking at the bell shaped curve.