From mboxrd@z Thu Jan 1 00:00:00 1970 From: "pelzflorian (Florian Pelz)" Subject: Re: [GSoC] Development of Cuirass. Date: Mon, 13 Mar 2017 00:45:00 +0100 Message-ID: References: <87tw6yim7o.fsf@gnu.org> <814f70f0-569c-51c8-592d-16b1ea4c8e70@pelzflorian.de> <87bmt6ibhz.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46689) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cnDAi-0000at-Of for guix-devel@gnu.org; Sun, 12 Mar 2017 19:45:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cnDAf-0001bP-MR for guix-devel@gnu.org; Sun, 12 Mar 2017 19:45:08 -0400 In-Reply-To: <87bmt6ibhz.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mathieu Lirzin Cc: guix-devel@gnu.org On 03/12/2017 07:41 PM, Mathieu Lirzin wrote: > Hello Florian, >=20 > "pelzflorian (Florian Pelz)" writes: >=20 >> On 03/12/2017 03:49 PM, Mathieu Lirzin wrote: >>> Sensitive requests should be done with an >>> authentification mechanism which is not determined yet. I currentl= y >>> have no experience with any and lack the knowledge to properly choo= se >>> one. >> >> I=E2=80=99m new to Guix and Scheme and no expert in Web programming, b= ut in >> order to prevent CSRF and in order not to rely on JavaScript, the serv= er >> should run with HTTPS (of course) and >> =C2=B7 use a secret session token and >> =C2=B7 send a customized Web page to the client adapted so that each l= ink and >> form to the server includes the session token as a GET or POST paramet= er. >> >> An alternative is Basic Access Authentication with HTTPS or Cookies wi= th >> HTTPS but they are vulnerable to CSRF. >> >> See stackoverflow, for example >> >> https://stackoverflow.com/questions/21357182/csrf-token-necessary-when= -using-stateless-sessionless-authentication >=20 > Thanks for your input. >=20 > Have you any experience/advice regarding OAuth or Json Web Token (JWT) = ? >=20 Sorry, I have no experience with these. I think I=E2=80=99ve basically understood what OAuth is for after reading the OSM wiki, [1] but I=E2=80=99= m not sure what you want to use it for. I assume the following scenario: The user wants to log in. =C2=B7 The Cuirass Web server would receive the log-in credentials as POS= T parameters from an HTML form. =C2=B7 Now it needs to check whether the password is correct, e.g. by loo= king up the salt stored for the supplied username, computing the bcrypt hash of the supplied password and stored salt and comparing it to the stored bcrypt hash for the user name. =E2=86=90 This requires Cuirass to stor= e a table containing user names, salts and bcrypt hashes. Do you intend to use some OAuth / OpenID / whatever thing to outsource the log-in management to an =E2=80=9Cidentity provider=E2=80=9D? I presume you don=E2= =80=99t. =C2=B7 You generate a secret session token shared between server and clie= nt which you =E2=80=94 embed in each link and in each form you send to the client as= part of the session and =E2=80=94 can verify the session token on the server. =E2=86=90 I di= d not know about JWT, but from a first glance it seems very appropriate for this use. Instead of storing on the server which sessions are still active, the token stores all information about the log-in and its content is encrypted with the server=E2=80=99s secret key. This seems like a great i= dea, also there maybe is (or should be) a library to manage JWT. I learned something today. :) By the way, your plans for Cuirass sound great. Thank you! Regards, Florian [1] https://wiki.openstreetmap.org/wiki/OAuth