-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
About security and user roles #64
Comments
Hi, @tappbell In this case you are able to configure a small server that stores the config and creates session for user who want to login.
|
Hi, thank you for your response. I have a couple of questions regarding token. The doc says that the token expires after 2 hours of inactivity. The refresh should be done manually, right? https://developers.connectycube.com/js/authentication-and-users?id=session-expiration. So, in the case you mention, that refresh should be done again server side to retrieve a new token. Is this the way to proceed? And one last thing: I figured out that using Application session token I can signup new users, and also using the User session token. Is there anyway to deny the signup for User session token? Thinking about a logged user may be able to create infinite new profiles... I guess this means to have some kind of "user roles" or at least a server side admin token vs a only user basic token. Thank you very much! |
We do not have refresh token. You should reuse user data to create a new session after the old session was expired.
You are right that user can creates profiles. We do not have an API to block the ability. It is common user registration and you can prevent the ability just on front-end side. |
Hello,
I'm using react-native and I see that authSecret is required to be on the config.
This means that someone who download my app can steal the authSecret through finding the javascript bundle in the app.
How are you managing this thing?
Thank you!
The text was updated successfully, but these errors were encountered: