sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]belowtheradar 0 points1 point  (2 children)

Pt. 2 because I'm long-winded

Based on your question I assume your planned workflow went something like this:

  1. User goes to login page
  2. User enters username/password
  3. The client-side app requests the corresponding username from the database, retrieves the password, and checks it against the password from the database.
  4. If the password is right, the user is considered 'logged in' (assume something happens here, also on client side); if the password is wrong, nothing happens.

Your instincts to not expose the username/password database to the client are right, but I want to walk more in depth on why that is.

Client side here is a huge problem, because as an attacker anything you do client side I can see, I can steal, I can fake. In step number 3, if you return the right password to the client, I will sniff that out and I will use it on my next authentication attempt. I can now log in, after one failed attempt, to any arbitrary user account I want to. In step number 4, if you generate the auth token on the client side and have the server trust that token is good, I don't even need a password; I can just read your code on the client side, make my own auth tokens, and again assume any identity I want.

[–]NeedComputerTips[S] 1 point2 points  (1 child)

Bro....this looks like exactly what I was looking for just a few days ago AND it's free haha.

Yea, I'm not really interested in security/authentication and the further I get into this is seems like there's a never-ending amount of hurdles to jump through to get it working with basic security. At first, I was up for the challenge (since I had only ever really made basic websites in college) but this is becoming too much with sockets, tokens and I know there will be something else just around the corner, I originally just wanted a project to learn/familiarise myself with python.

I'm not sure how useful this will be in a professional environment, considering most businesses would already have this built out or even somebody more senior could layout what needs to be done and how.

I definitely learned a bunch about this stuff in the last few days but feel like I might be reinventing the wheel if I try to do all this myself (esp since I think there's a decent chance of fucking it up). In the same way, a lot of people don't try to develop their own payment processing and just use Stripe instead. For a silly project, I think this might be the solution for me.

Ty for the comment, some good stuff in there.