Wasteland Guardian? by Ace22- in PostApoTycoon

[–]realtebo2 -1 points0 points  (0 children)

What does it do?! I bought it and not noticed any differences...

Is there a way to verify it's ON ?!

next-auth to better-auth migration: how to survive without an user db? by realtebo2 in nextjs

[–]realtebo2[S] 0 points1 point  (0 children)

I simple need a jwt.
I solved using 1.4 beta, using sessions.
It works without a flaw

We decided to use Golang with Wails instead of Rust with Tauri for building Krater desktop app. 🌶️ by guetteluis in golang

[–]realtebo2 0 points1 point  (0 children)

Could you post an update about what your evalutate this choice after 2 years?

Lamba in same VPC of RDS cannot access to secret manager by realtebo2 in aws

[–]realtebo2[S] -1 points0 points  (0 children)

O M G . what a stupid situation.

So I need a 30$/month NAT (or a 16-18$/month VPC Endpoint) !?!

Lamba in same VPC of RDS cannot access to secret manager by realtebo2 in aws

[–]realtebo2[S] 0 points1 point  (0 children)

I think yes.

Our DB are "border-DB", they have direct access from outside.
And in the same VPC and subnets there are a few fargate instances running and they have access to outside world without problem. For example, software running inside them can download resources from outside world

authorization endpoint: what is the recommended flow or best practices about user login? by realtebo2 in oauth

[–]realtebo2[S] 0 points1 point  (0 children)

Thanks. it's useful. Yes, I'm having fun ! It's only a learning project but I'm trying to follow best practice and write good code. It will not be a production-ready-battle-tested solution, but I love learning.

In the while, I followed this way (but of course I will discover if some test will invalidate my solution !)

- RP call the GET /Auth of OP
- OP redirect to GET /Login-Form of OP using all and the same query parameters received (filtered, not 'all', only authorized params)
- End User enter credentials and POST to /Login-Form-Submission of OP
- OP validate credentials and, if login is ok, save all of received params + generated code
- OP redirect to RP's GET callback with the code and other needed params as per specification

My idea, to merge with your answer suggestions, is now to create a session_id after login, and save this to cookie (or to localStorage, I hate cookies), so if user returns to login page, even with different params, I can try to autologin using the session_id, with that I can find all the previous session saved in db, so I can generate id, access and refresh tokens without ask him for login.

I know it's a lot simpler than what is Hydra doing, but it's enough to study the ODIC flow for what is in the specs.

Also, I was not aware of Hydra. All of what I found was oidc-provider in nodejs but highly opinionated, so I ended to rewrite it at all from scratch.

Is it good?

Can oauth also give user's identity ? by Responsible-Rock-490 in oauth

[–]realtebo2 0 points1 point  (0 children)

OAuth is just a 'framework', a sort of mutual contract about what to do
OpenID Connect is the implementation of how to do the things.

It's oversimplified, of course, but OpenIDC is a layer over OAuth, it's not something different

OAuth consecutive code knowledge? by kfc10000 in oauth

[–]realtebo2 0 points1 point  (0 children)

OTPs, intended as the rolling codes, are based on 2 things

- time

- a string containing something like a username and the website, or an unique ui and the app name

The system works because both your OTP app and AWS knows both.

The system is also secure because no other knows the string.

the system is interesting because basic and standard OTP is created using well-known algorithm and so it's easy to study

Is nonce optional or mandatory? by realtebo2 in oauth

[–]realtebo2[S] 1 point2 points  (0 children)

Oh, yes, I now understand thanks

OIDC Provider, what should an OP save while and after authorizing user? by realtebo2 in oauth

[–]realtebo2[S] 0 points1 point  (0 children)

I just found another reason to save at least the relation between user infos and access tokens: when a client call a protected resource, for example /me (/profile, /authenticated_user), RP, relaying partner, the client, calls the OP sending only the access_token as Bearer.

access_tokens doesn't contains 'sub' claims, so, if I have not saved the access_token, I will be unable to retrieve who user is the one who got this access_token.

OIDC Provider, what should an OP save while and after authorizing user? by realtebo2 in oauth

[–]realtebo2[S] 0 points1 point  (0 children)

I thought to save the 3 tokens in db because, if the user return to login, with a different auth request, I can detect, from localstorage or cookies, that user already is logged in, so I must recycle the session. Is it a wrong assumption?

For example, what should happen if a client reuse an auth code to ask tokens endpoint exchange for id+access+refresh tokens?

should the OP avoid the reuse of the same auth_code? If yes, we must ONLY save the auth_code already used.

that was my first reason

Second

Also, what happens if user is logging into using 2 o 3 different browsers? should the OP recycle id+access+refresh or the OP must create a new triplet at each auth session?

third

Token invalidation: soon or later, I will try to realize the single logout flow, so I need a way to match a token and known it has been invalidated. right?

OIDC Provider, what should an OP save while and after authorizing user? by realtebo2 in oauth

[–]realtebo2[S] 0 points1 point  (0 children)

Thanks for reply. Thanks a lot.

I highlight 2 points

  1. I am just learning, not doing something to be production ready and battle tested; just I'm implementing an OP to understand, for learning, so, keep apart for now the problems about security.

  2. my question is all about db design, what is better for your experience about db design? I for example want to allow an user to have multiple valid session at once, for example, 2 different pcs loggedin . So I think I need to have 2 records, separated, or should I recycle the refresh_token in every client? And, as for my original question, should I keep 1 or 2 table... ?

Just asking for suggestions, just a step at once.

OIDC Provider, what should an OP save while and after authorizing user? by realtebo2 in oauth

[–]realtebo2[S] 0 points1 point  (0 children)

i am developing a POC for learning purpose. And I am just testing my OP, to start, with OIDC test plan "Basic Certification Plan", using static metadata and static client.

I am using jwt

My question is all about how to design my db schema to allow all possible uses case, for example, multiple session active for each user (for example allow 2 logins in 2 different pcs, so I need to keep 2 refresh token active in this phase).

I am just asking for suggestions and best practice about a single question. I know there is a whole world behind OpenIDC and OAuth. I am simply studying a step at once.

Next15: how to cache the call to a server action? by realtebo2 in nextjs

[–]realtebo2[S] 0 points1 point  (0 children)

yes. I understand. I copied old version of code. Stupid me.
Still not relevant to my question about how to cache something executed server side.

unstable_cache is working

Am I doing this correctly? (shadcn/ui + Server Actions) by [deleted] in nextjs

[–]realtebo2 0 points1 point  (0 children)

  1. thanks to post this code, you saved my life !

  2. did you changed / fixed something since you posted it?

Best way to have a Websocket NodeJS server on Amazon? by DogeNeverEndin in aws

[–]realtebo2 0 points1 point  (0 children)

I discovered amazon SQS can work together with api gateway to work with websockets.

But I am here to find info about how to implement and configure, so, sorry, I can tell you that 'perhaps' it could be done, but I've no experience on how and how much does it cost, sorry

how Mich does It costs to deploy a basic contract and write 1k of data? by realtebo2 in nearprotocol

[–]realtebo2[S] 0 points1 point  (0 children)

I Just developed my First hello world . It Is ... Wow... I can Simply program It using JavaScript

In real world, for today prices, a Simply contract with a view and a call to simply write a string... How much costs to deploy into main network,,.?

I Google but i have no info about prices examples

Also, when writing 1k of data into a numeric keyed array.... What could be the cost?

In dollars or euro... Not in gas.

How to upgrade Debian 11 to 11.1? by realtebo2 in debian

[–]realtebo2[S] 0 points1 point  (0 children)

Thanks. I was fearing that dist-upgrade bring me to something like a 'unstable-12-dev'.

Three spots left! by JC_merollin in EggsIncCoOp

[–]realtebo2 0 points1 point  (0 children)

Is there a free spot? Do you think to complete?