feat: switch over to passport.js #314
Conversation
coderbyheart
force-pushed
the
passport.js
branch
2 times, most recently
from
eb7c444 to
06765c0
Compare
Changes to your CodeSee Architecture Map:Legend |
coderbyheart
force-pushed
the
passport.js
branch
3 times, most recently
from
04c6f50 to
2438aaa
Compare
package.json
Outdated
| "@sinclair/typebox": "0.20.5", | ||
| "@types/graphql-depth-limit": "1.1.2", | ||
| "@types/lodash": "4.14.172", | ||
| "@types/supertest": "2.0.11", | ||
| "ajv": "8.6.2", | ||
| "ajv-formats": "2.1.1", | ||
| "apollo-server": "3.3.0", | ||
| "apollo-server-express": "3.3.0", | ||
| "bcrypt": "5.0.1", | ||
| "body-parser": "1.19.0", | ||
| "compression": "1.7.4", | ||
| "cookie-parser": "1.4.5", | ||
| "cors": "2.8.5", | ||
| "dotenv": "10.0.0", | ||
| "express": "4.17.1", | ||
| "graphql": "15.5.1", | ||
| "graphql-depth-limit": "1.1.0", | ||
| "graphql-import-node": "0.0.4", | ||
| "graphql-scalars": "1.10.0", | ||
| "lodash": "4.17.21", | ||
| "nodemon": "2.0.12", | ||
| "passport": "0.4.1", | ||
| "passport-cookie": "1.0.9", | ||
| "pg": "8.7.1", | ||
| "prettier-plugin-organize-imports": "2.3.3", | ||
| "reflect-metadata": "0.1.13", | ||
| "sequelize": "6.6.2", | ||
| "sequelize-typescript": "2.1.0", | ||
| "supertest": "6.1.6", | ||
| "uuid": "8.3.2" |
There was a problem hiding this comment.
praise: thank you for pinning every dependency. I hope it wasn't too much of a pain.
There was a problem hiding this comment.
Only a little, not all of them are on the latest release (e.g. sequelize-typescript)
| i: number | ||
| /** user is admin */ | ||
| a: boolean | ||
| /** user hash */ | ||
| c: string |
There was a problem hiding this comment.
question (non-blocking): are those fields named that way to match the way passport-cookie formats its data?
There was a problem hiding this comment.
No, but we encode this in the cookie sent to the browser, and there is a size limit, so I want to keep it as small as possible (while still using JSON).
src/models/user_account.ts
Outdated
| @Column | ||
| public auth0Id!: string | ||
| public username!: string |
There was a problem hiding this comment.
question (non-blocking): why require a username instead of an email?
There was a problem hiding this comment.
Yes, good point. I started this switch without emails, but I realize we need them anyway (for password reset), so I will remove the username field and turn it into an email field.
src/routes/login.ts
Outdated
| if (user === null) { | ||
| // Penalize | ||
| await new Promise((resolve) => setTimeout(resolve, penaltySeconds * 1000)) | ||
| return response.status(401).end() | ||
| } | ||
| if (!bcrypt.compareSync(valid.value.password, user.passwordHash)) { | ||
| // Penalize | ||
| await new Promise((resolve) => setTimeout(resolve, penaltySeconds * 1000)) | ||
| return response.status(401).end() | ||
| } |
There was a problem hiding this comment.
though (non-blocking): this means that if I type the wrong username or password, I'll have to wait 10 seconds until I see an error message, right? I think that could become annoying from a UX perspective. I wonder if we could instead throttle access to that endpoint based on the user's IP (not necessarily in this PR though)
There was a problem hiding this comment.
Yes, a more advanced feature of this would be remembering the user, however, the point here is to slow down attackers, which most likely will switch IP addresses. I think a better solution will be to implement a CAPTCHA, like https://friendlycaptcha.com/.
There was a problem hiding this comment.
I like the CAPTCHA solution 👍
coderbyheart
force-pushed
the
passport.js
branch
2 times, most recently
from
74bd298 to
185de9f
Compare
|
@deammer I realize that I've build the authentication API outside of GraphQL, as REST. Do you feel that is an issue? They are pretty independent of each other, any way (and were before). |
I feel like that's not a problem. The previous |
coderbyheart
force-pushed
the
passport.js
branch
3 times, most recently
from
2c39069 to
e64eaec
Compare
|
I've asked friendlyCaptcha if they would provide us with a free business license, because only that one uses EU-only endpoints. |
coderbyheart
force-pushed
the
passport.js
branch
3 times, most recently
from
8ac8bcb to
265e69f
Compare
coderbyheart
force-pushed
the
passport.js
branch
from
58e70ba to
1ffb1e2
Compare
coderbyheart
force-pushed
the
passport.js
branch
from
d185570 to
080fd5d
Compare
|
I have to figure out the problem with sequelize before merging. |
This adds username/password based authentication, using a cookie when accessing secure routes
REACT_APP_VERSION is not used and maintained right now
So Chrome will include it in cross-site requests
Update the DevContainer definition so users are able to run `npm test`.
This adds username/password based authentication,
using a cookie when accessing secure routes
See ./docs/authentication.md for description of the implementation.
useAuthhook to use context, so auth state can be access everywhereShipmentSendingHub/ShipmentReceivingHubto db schema againCAPTCHA will be handled in a separate PR: #335
Includes changes to host it on CleverCloud, so this PR can be reviewed on a working instance.