Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support even simpler, insecure, authentification. #26

Open
Kuinox opened this issue Jan 13, 2022 · 2 comments
Open

Support even simpler, insecure, authentification. #26

Kuinox opened this issue Jan 13, 2022 · 2 comments

Comments

@Kuinox
Copy link
Contributor

Kuinox commented Jan 13, 2022

Customer want an insecure logging with only an username and a list of allowed username.
I think we should support this sort of authentification:

  • It would allow us to not reimplement it every time.
  • Could make it more secure than the naive implementation (like rate limiting to make bruteforcing harder)
  • It also allow us to upgrade easily to a real, and secure, auth system
@olivier-spinelli
Copy link
Member

olivier-spinelli commented Jan 13, 2022
edited
Loading

IMO there is a rather simple solution: use the regular CK.DB.UserPassword and such users have the "no-pwd" password. The front hides the password textbox and sends "no-pwd" to the back.

The idea is that the login will challenge the password AND the user name: only "registered users" will be allowed (no typos are possible in the user name).

To "soft delete" a user (more precisely to revoke its login), it's enough to set a new Guid as its password. Its authentication will automatically fail.

Note that there may be users with "no-pwd-1", "no-pwd-2": this supports the case where multiple "kind of users" must log:

  • The front displays a select box with the "Kind" (or tabs or whatever)
  • Each "kind" is associated to a different password.

This is a Front issue actually. One need the hiding of the password textbox and admin screens to manage them.

One last idea: if, for some users, authentication becomes required:

  • Set him a real password (and communicate it).
  • Let him enter its user name as usual and attempt to login with "no-pwd".
  • This will fail: simply display the password textbox.
  • Cherry on the cake: on failure, before displaying the password textbox lookup for the user name and only if it exists, display the password textbox.

This really seems to be all about Front development...

@olivier-spinelli
Copy link
Member

There may be a DB package: a simple table "CK.tPseudoUser" (or GuestUser?) with the UserId and the "password" that tracks these users. There's no need to add any field in tUser.
One may create a Group "PseudoUsers" that is synchronized with this table so that Acl can easily deny any pseudo users like these.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@olivier-spinelli @Kuinox