Possible alternatives to a login system

[audreytoskin]

There's a tech security adage I heard somewhere that says the best way to protect some data is to not have it. That is, someone breaking into your system can't steal any data that doesn't exist. Users would not have to trust your application, and you would not have to worry as much about protecting your login backend, if you implemented alternative ways of saving user mixes.

Such as local storage. Local storage, I'm guessing, would be simpler to implement, and greatly reduces the "attack surface" for an application like Relaxio. One downside of local storage is that there's not really a good way for users to take the data with them to other devices or browsers.

Another possible solution would be to create a URL for the current mix, where the sound sources and volume levels are encoded as URL fragments or query strings. This might be a little more complex than local storage, but it would allow users to save their mixes as bookmarks, which all the major browsers can sync across devices, or which users can export and import to different browsers.

Just a thought. You already have a login system in place, so you don't necessarily have to throw that away; local storage or a custom mix URL could also work as just another option for users. But it occurred to me that maintaining a database of user data, any kind of user data, is a responsibility I would personally prefer to avoid if possible, so I'm just saying.

[docsmage]

Thanks for sharing your thoughts; it's good to have discussions like this when planning a secure login system.

I'm doing a revamp of relaxio where the login system will be entirely removed, so I'm marking this issue as closed. Feel free to review that release when it comes out and file issues as needed. I appreciate your feedback!