Improve the Auth generated by amber g auth
#1322
Comments
|
Good changes. You'll certainly want to make the relationship between Users and Session tokens a "has many" however you'd like to go about that. I don't really think there's a need to make the session token anything but a secure random string. |
|
@robacarp that's a good point of refinement, I was shooting for a single session allowed at a time, but that doesn't make sense even for my own use case, ha! Since I'm building a mobile app, I want multiple sessions up to the device limit. So that's definitely a So far I have the single token & single session working and using an in-memory cache that is managed by the |
The current authentication provided by the generator is too basic. The current auth uses the user_id as the session ID. Let's improve the generator to do the following:
session_random_tokenwith typeVARCHAR&session_expiration_datewith typeTIMESTAMPsession_token= used_id + session_random_tokensession_tokenand set the token into an in-memory data storeauthpipe from using a DB query to check for the existing user_id, check the in-memory data store for the session token that is provided.The in-memory data store is probably best represented as a
Hash(String, User){ "kjlh01nv081304813408934": User }The
session_tokenis going to require some parsing in order to do a database lookup in the event that the session token is not found. The idea here is that thesession_tokenshould be"#{session_random_token}:#{random_string}"whererandom_stringis a randomly generated 64 character long string of mixed uppercase, lowercase and numbers.The text was updated successfully, but these errors were encountered: