prismatik / auth Goto Github PK
View Code? Open in Web Editor NEWA generically useful authentication and authorisation server based on a heirarchy-free inter-entity permission system
A generically useful authentication and authorisation server based on a heirarchy-free inter-entity permission system
I think this service should accept an ENV var that will specify how many encryption cycles bcrypt should use.
Basically the problem is that production grade bcrypt takes quite a bit of time and it slows down tests significantly. I want to be able to specify something like ENCRYPT_CYCLES=1
in a test environment and make the auth service to create new records faster.
Also this will allow us to use more cycles in security critical apps
when the signIn fails due to a wrong username or wrong password, the response error actually says either wrong username
or wrong password
.
this is a security vulnerability. firstly it tells the attacker that they've got the username right. and secondly it allows the attacker to check your system against existing email databases and know who's actually registered in the system.
the failure message should just say 'wrong username or password'. don't even mention 'email'
you're throwing 403s instead of 401s
403 - means permission denied. which means a user authentication is valid, they just try to access something above their level, like admin features and such.
401 - means authentication failed or was not issued
Should auth
adhere to semver? So far, there have been some major releases with no change in versioning. As this service is now rolled out for multiple projects, this feels quite important.
It will give us the confidence to update without having to worry about projects breaking.
as per Prismatik/auth-driver#21
https://github.com/Prismatik/auth/blob/master/controllers/login.js returns a JWT keyed to the email. That's not particularly secure as it'll give you access to all future accounts that use that email address. Sessions should be tied to their related entities by id, i.e., users, so they're guaranteed to only apply to the user that created them. They should not be invalidated when a user changes her email address in the app.
the service is kinda slow in testing environment, needs some investigation
Hey,
authDriver.update(purchaser.customerId, {
permissions: [{type: "purchaser", entity: purchaser.wholesaler}]
})
Lead to:
Unhandled rejection ReqlRuntimeError: Cannot convert `undefined` with r.expr() in:
r.table("entities").get("9b061055-e06a-460f-a068-370d54416af1")("rev").eq(undefined)
^^^^^^^^^
at Term.run (/home/user/Documents/auth/node_modules/rethinkdbdash/lib/term.js:43:17)
at Server.exports.validateEmail.exports.validateRevision.r.table.get.getField.eq.run.then (/home/user/Documents/auth/lib/entity.js:31:4)
at next (/home/user/Documents/auth/node_modules/restify/lib/server.js:906:30)
at f (/home/user/Documents/auth/node_modules/restify/node_modules/once/once.js:17:25)
at Server.exports.validateEmail.query.isEmpty.run.then (/home/user/Documents/auth/lib/entity.js:9:23)
at next (/home/user/Documents/auth/node_modules/restify/lib/server.js:906:30)
at f (/home/user/Documents/auth/node_modules/restify/node_modules/once/once.js:17:25)
at Server.module.exports (/home/user/Documents/auth/routes/middleware/basic_auth.js:8:10)
at next (/home/user/Documents/auth/node_modules/restify/lib/server.js:906:30)
at f (/home/user/Documents/auth/node_modules/restify/node_modules/once/once.js:17:25)
at parseJson (/home/user/Documents/auth/node_modules/restify/lib/plugins/json_body_parser.js:65:9)
at Server.parseBody (/home/user/Documents/auth/node_modules/restify/lib/plugins/body_parser.js:90:13)
at next (/home/user/Documents/auth/node_modules/restify/lib/server.js:906:30)
at f (/home/user/Documents/auth/node_modules/restify/node_modules/once/once.js:17:25)
at IncomingMessage.done (/home/user/Documents/auth/node_modules/restify/lib/plugins/body_reader.js:121:13)
at IncomingMessage.g (events.js:260:16)
at emitNone (events.js:67:13)
at IncomingMessage.emit (events.js:166:7)
at endReadableNT (_stream_readable.js:905:12)
at doNTCallback2 (node.js:441:9)
at process._tickDomainCallback (node.js:396:17)
I might be doing something wrong, too, but given that the request will then timeout with no 500 returned, it's a bug. ;)
Getting stuff like this:
permissions:
[ { entity: 'dd36730e-f449-4e24-9854-90905c7757f9',
type: 'purchaser' },
{ entity: '31ba0784-2e6b-4679-86c1-320802d02fa2',
type: 'purchase' },
{ entity: '31ba0784-2e6b-4679-86c1-320802d02fa2',
type: 'purchase' },
{ entity: '31ba0784-2e6b-4679-86c1-320802d02fa2',
type: 'purchase' },
{ entity: '31ba0784-2e6b-4679-86c1-320802d02fa2',
type: 'purchase' } ],
rev: 'fac9c07e-6ee7-4e34-8d3e-4357e24532df',
updated_at: '2015-12-24T06:13:51.658Z' }
Should be a way to compact the dups.
Given my initial argument list:
I've elaborated a few:
Create a library, have it return an instance of Auth
given database connection details and call it a day. ;-)
Tests seem to hang until you ctrl-c
outta there.
https://github.com/Prismatik/auth/blob/master/controllers/entities.js#L14
I think that should be a POST. At no time do we accept a user persisting an inherited_permissions array, for example. In order to satisfy the semantic requirements of PUT we would need to store the resource exactly as the user had sent it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.