Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proper security to the apps #145

Closed
thaalesalves opened this issue Apr 24, 2023 · 1 comment
Closed

Add proper security to the apps #145

thaalesalves opened this issue Apr 24, 2023 · 1 comment
Labels
improvement Improvement of current features refactor Refactor of current code into a better version of it
Milestone
Error handling

Comments

@thaalesalves
Copy link
Collaborator

Summary

The backend API is currently open and has no security, and that needs to change. With Discord authentication this will be possible. With proper security in the back end, we can store client data more securely and prevent storage of sensitive data in the browser or in a cookie.

Details

The backend API needs to have Authorization headers validation with proper tokens and block the APIs in case a valid session isn't available. Now that we have Discord authentication, we should investigate a way of achieving this. This should also help secure the front end.

  • Retrieve authorization and authentication data from Discord API and cache it in the back end;
  • Create a custom internal token (UUID or NanoID);
  • Use this internal token as the key for caching the actual auth data;
  • Return that internal token to the client and have it store it in an encrypted cookie;
  • Add Spring Security layers to the REST API so it blocks requests that don't have a valid internal token in the Authorization header;
  • Remove requester header (contains user ID an nothing else) from the requests and use cached data instead;
@thaalesalves thaalesalves added improvement Improvement of current features refactor Refactor of current code into a better version of it labels Apr 24, 2023
@thaalesalves thaalesalves added this to the Error handling milestone May 9, 2023
@thaalesalves
Copy link
Collaborator Author

Migrated to JIRA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
improvement Improvement of current features refactor Refactor of current code into a better version of it
Projects
None yet
Milestone
Error handling
Development

No branches or pull requests
1 participant
@thaalesalves