Fork me on GitHub
#off-topic
<
2020-11-06
>
uosl11:11:13

Any opinions on how HTTP requests and authentication should be managed on a SPA that has to communicate with multiple servers on different domains? Obviously saving auth data only in the backend's session is most secure, but this would mean all requests from the SPA need to be proxied through this backend. On the other hand, using localstorage to store auth data is less secure, and the SPA would still need to send OPTIONS preflight requests, which also is a performance penalty. Which is actually better from a performance standpoint?

Mno13:11:58

I'm no expert by any regard but normally for this kind of situation I use a middleman backend which talks to all the secondary servers

Mno13:11:49

So auth can be shared but also remains in the backend

Mno13:11:54

I don't really know the performance implications in your original question, unfortunately

uosl16:11:40

Yea, I think that's the most common. I just wonder how much it affects performance, as all requests will essentially have a detour added to them. This SPA is a frontend to multiple biological databases managed by different organizations, and it's up to the user to decide which server to use.

rakyi16:11:16

> using localstorage to store auth data is less secure What do you mean by auth data? I don’t see a problem with having session cookies set by different servers.

Lennart Buit16:11:34

(Maybe overkill) You can look at the PKCE Oauth Flow, that is meant to securely obtain an access token for your APIs (say a JWT) without having to trust the client in storing some form of secret

👌 3
rakyi16:11:56

and yeah, don’t store anything sensitive in localStorage, it’s not secure

Lennart Buit16:11:24

To elaborate, storing tokens in localstorage can mean tokens can get stolen by XSS attacks

👍 6
uosl17:11:01

By auth data I mean tokens, and yes I'm aware of XSS.

seancorfield17:11:23

@regen We use an OAuth flow for this: an Auth Server (that just hands out tokens), a Login Server for actual authentication, and then all the other services invoked from our SPA pass the access token.

seancorfield17:11:55

(and the SPA talks to the Auth Server periodically to update its access token from the refresh token that it got from the Auth Server after login)

noisesmith22:11:30

it works for me right now?

noisesmith22:11:40

it's a great language, one of my favorites

dpsutton22:11:03

back up now i guess

dpsutton22:11:23

yeah i've been dabbling recently. i really miss HM type systems

noisesmith22:11:45

I've been having some fun with zig lately - it simplifies a lot of the cruftiness of C while being as low level, and adds HM type inference as well

noisesmith22:11:03

c : c++ :: zig : rust, more or less

noisesmith22:11:30

also zig does modules the same way OCaml does, they are data structures

theophilusx22:11:00

@regen I would go with the broker backend. This will limit your auth complexity to the broker and provide more flexibility for security. It also means that if any of the services you need to access change their auth processes or add new auth services, you only need to update the broker, not every client. The downside is that it will increase network traffic, may represent a single point of failure, could be a performance bottleneck and provides a rich target for adversaries. This type of question is challenging because the right answer also depends a lot on context. The level of threat and associated risk depends a lot on the types of services your accessing and the value (to others) of the data you need to protect. My preference has been for a architecture similar to what @seancorfield outlines. The additional traffic querying the auth server is minimal and having tokens with timeouts and authz as well as authn info provides a lot of flexibility and you can control access from a single point.