From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mathieu Lirzin Subject: Re: [GSoC] Development of Cuirass. Date: Mon, 20 Mar 2017 23:05:43 +0100 Message-ID: <87lgrzy56w.fsf@gnu.org> References: <87tw6yim7o.fsf@gnu.org> <814f70f0-569c-51c8-592d-16b1ea4c8e70@pelzflorian.de> <87bmt6ibhz.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50338) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cq5Qx-0007lp-V3 for guix-devel@gnu.org; Mon, 20 Mar 2017 18:05:49 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cq5Qw-000361-Ap for guix-devel@gnu.org; Mon, 20 Mar 2017 18:05:47 -0400 In-Reply-To: (pelzflorian@pelzflorian.de's message of "Mon, 13 Mar 2017 00:45:00 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: "pelzflorian (Florian Pelz)" Cc: guix-devel@gnu.org "pelzflorian (Florian Pelz)" writes: > On 03/12/2017 07:41 PM, Mathieu Lirzin wrote: >> Hello Florian, >>=20 >> "pelzflorian (Florian Pelz)" writes: >>=20 >>> On 03/12/2017 03:49 PM, Mathieu Lirzin wrote: >>>> Sensitive requests should be done with an >>>> authentification mechanism which is not determined yet. I currently >>>> have no experience with any and lack the knowledge to properly choose >>>> one. >>> >>> I=E2=80=99m new to Guix and Scheme and no expert in Web programming, bu= t in >>> order to prevent CSRF and in order not to rely on JavaScript, the server >>> should run with HTTPS (of course) and >>> =C2=B7 use a secret session token and >>> =C2=B7 send a customized Web page to the client adapted so that each li= nk and >>> form to the server includes the session token as a GET or POST paramete= r. >>> >>> An alternative is Basic Access Authentication with HTTPS or Cookies with >>> HTTPS but they are vulnerable to CSRF. >>> >>> See stackoverflow, for example >>> >>> https://stackoverflow.com/questions/21357182/csrf-token-necessary-when-= using-stateless-sessionless-authentication >>=20 >> Thanks for your input. >>=20 >> Have you any experience/advice regarding OAuth or Json Web Token (JWT) ? >>=20 > > Sorry, I have no experience with these. I think I=E2=80=99ve basically > understood what OAuth is for after reading the OSM wiki, [1] but I=E2=80= =99m not > sure what you want to use it for. > > I assume the following scenario: > > > The user wants to log in. > > =C2=B7 The Cuirass Web server would receive the log-in credentials as POST > parameters from an HTML form. > > =C2=B7 Now it needs to check whether the password is correct, e.g. by loo= king > up the salt stored for the supplied username, computing the bcrypt hash > of the supplied password and stored salt and comparing it to the stored > bcrypt hash for the user name. =E2=86=90 This requires Cuirass to stor= e a > table containing user names, salts and bcrypt hashes. Do you intend to > use some OAuth / OpenID / whatever thing to outsource the log-in > management to an =E2=80=9Cidentity provider=E2=80=9D? I presume you don= =E2=80=99t. > > =C2=B7 You generate a secret session token shared between server and clie= nt > which you > =E2=80=94 embed in each link and in each form you send to the client as= part > of the session and > =E2=80=94 can verify the session token on the server. =E2=86=90 I di= d not know > about JWT, but from a first glance it seems very appropriate for this > use. Instead of storing on the server which sessions are still active, > the token stores all information about the log-in and its content is > encrypted with the server=E2=80=99s secret key. This seems like a great i= dea, > also there maybe is (or should be) a library to manage JWT. I learned > something today. :) I need to do my homework before being able to go further in this discussion. Thanks for you analysis. --=20 Mathieu Lirzin GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37