startup-in-a-month 2021-03-10

afry16:03:19

Hey all! Been a bit quiet recently hasn't it? I've been busy on some user authentication/password management/security stuff for the past few days. Much though I enjoy streaming the code development process, I think that broadcasting EVERY single line of code is ... uh ... a really bad idea 😅 So I'm going to be working on that for the rest of the week probably. I might get a stream or two in, but otherwise I'll be laboring in the shadows for a little while :male-detective:

❤️ 6

👍 4

bringe16:03:22

I have a repo here that may be of use as a reference to you: https://github.com/bpringe/auth-template. It's session based auth, not token, but some of it may still be useful if you're using token auth.

afry20:03:01

Ooh damn, I will definitely reference that! Thanks @U9A1RLFNV

afry20:03:58

And after some ego swallowing and a couple hours of research, I've decided on session auth after all. Seems easier and safer, and only requires a little refactoring on my end to make it possible to do with http-only cookies

bringe20:03:30

You're welcome. Yeah if it's a simple app for the browser then session auth fits the bill I think.

afry21:03:13

Nice touch with the timing attack mitigation btw: https://github.com/bpringe/auth-template/blob/master/src/auth_template/email.clj#L44

bringe22:03:08

Ah, yes, thanks. The OWASP material I referenced is really thorough.

2021-03-10

Channels