Permalink
Browse files

Updated documentation

  • Loading branch information...
matb33 committed Jun 12, 2012
1 parent f0768a1 commit 30da243d6295309c7357ad7662dc8d8498cc9cdb
Showing with 10 additions and 5 deletions.
  1. +10 −5 README.md
View
@@ -6,6 +6,10 @@ This project is an attempt at demonstrating a simple use-case of authentication
- Re-worked RPC structure and models to make use of dual-sided `Meteor.methods` (client and server). The previous version did not properly implement latency compensation as intended by Meteor. If you used my previous code as a base for learning Meteor, I suggest reviewing the changes so as not to perpetuate incorrect code structure.
+- Create separate UserSessions (server only) collection to hold session information. This allows us to log-in from multiple browsers. Logging out clears all sessions for the user, so effectively logs out anyone using that username.
+
+- Added *expires* property to user sessions, defaulting to 1 week.
+
## Important notes
1. When logging in, your login and password are sent down to the server in plaintext through Meteor RPC (Meteor.call). I am open to suggestions here, but as far as I understand it, this is the job of HTTPS;
@@ -37,14 +41,15 @@ Here's how I've approached security:
var signature = CryptoJS.HmacMD5(randomToken, serverKey).toString();
var signedToken = randomToken + ":" + signature;
-5. Signed token is hashed and stored in DB in user's row;
-6. Server sends signed token to client, which it can store in a cookie if it pleases. The signed token is not saved on the server. The client can then use this session token in subsequent requests to identify itself.
+5. Signed token is hashed and stored in server user-session collection;
+6. Server sends signed token to client, which it can store in a cookie if it pleases. The signed token itself is not saved on the server, only a hash representation.
+7. The client can then use this session token in subsequent requests to identify itself. The mechanism with which it chooses to preserve this session token is based on what the browser has available (cookie, localStorage, etc).
#### User accessing resources using session token:
1. Client sends session token in plaintext to the server;
2. Server verifies the integrity of the session token (signed by server);
-3. If successful, retrieves user row by hashing the session token, and looking for this same hash in the DB (stored in step 5 above).
+3. If successful, retrieves user row by hashing the session token, and looking for this same hash in the user-session collection (stored in step 5 above).
4. Server can do what it wants with user row, such as allowing/denying access etc.
## Installation
@@ -55,7 +60,7 @@ Follow the usual installation instructions over at <https://github.com/meteor/me
### Userauth (this project)
-Userauth isn't setup as a Meteor package. Since it's a proof-of-concept, you'll need to clone the repository and play around/learn how it works, then pull it apart and adapt it for your own application. So go ahead and clone it.
+Userauth isn't setup as a Meteor package. Since it's a proof-of-concept, you'll need to clone or fork the repository and play around/learn how it works, then pull it apart and adapt it for your own application. So go ahead and clone/fork it.
Once you have it installed, make sure to run `npm install` in the root of the project folder to have the bcrypt node module compiled and installed.
@@ -198,7 +203,7 @@ Here we define the collections we want to expose to the client. We have the oppo
Additionally, using the `publishModifiedCursor` extension I adapted from the built-in `_publishCursor`, you can add computed fields to the cursor (such as `__is_owned_by_session_user` and `__is_session_user`, in this case).
-#### `server/authentication/make-authentication-manager.js`
+#### `server/authentication/authentication.js`
bcrypt, SHA256, HMAC, this is where it all happens. The `makeAuthenticationManager` function is a maker function with parameters to allow defining the user collection and user document field-names to affect.

0 comments on commit 30da243

Please sign in to comment.