Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Seriously... I am rethinking my life choices right now... I am tempted to rewrite everything in Java, using MariaDB instead of CouchDB for the database (even though I hate SQL)
-
@bytecode I might be wrong in this case, but "sending in URL" usually means basic authentication, where the credentials are passed in a http header in every request.
-
Check jwt.io
The token you get is some json signed with a secret key stored in the backend. That way you don't need to call the db to check the session, just that the signature is valid. -
@johnmelodyme That's what I was using for any project I did for my clients... but this is my personal project that I am then going to pass on to my students' club... The requirement is to keep everything on our servers. ...and I also need to implement OAuth login via our information system.
-
The biggest problem is the usage of terminology and best practices around oauth. You'd think that the biggest proponents of OAuth2 folks would be clear and concise about what each of the terminology means.
I'd suggest reading the docs for Okta to clearly understand what each of the terms mean and how they all connect to create authentication and authorization schemes.
I have been implementing OAuth2 for the past 3 years and it's only easy until the point I need to verify a token. Authorization becomes a pain the moment you go for multi tenant resources. But that's a story for another day. -
@terriblecoder I think you misunderstood my post, I need to implement local authentication as well as OAuth.
And for local auth JWT seems to be the current standard... I just figured out what I was missing, most of the plugins counted on external service generating the token... that's why it got me confused.
Related Rants
I have been trying to wrap my head around authentication in hapi for the last 6 hours...
Fuck this shit... when did simple,
I HAS A USERNAME
I HAS A PASSWORD
CAN HAS SESSION?
become:
- you magically get a token from somewhere
- you magically verify that token
- you respond with { credentials } //magic
- by some fucking black magic the server probably creates a session without you knowing about it...
- you freak out and write your own authentication scheme only to find out that you cannot read payload of POST requests in the authenticate method
- you get angrier and depressed and write a rant
(to be clear: there is @hapi/basic but I don't think sending a GET request with the URL looking like username:password@domain.tld is very safe...)
rant
help
hapi
what the hell is going on
wtf is jwt