-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Cookie authentication #390
Conversation
why are we doing cookie based? |
Console is a browser application, there's no need to the use localStorage (we still maintain the support for clients that doesn't support cookies), instead we can use browser cookies and leverage on the existing security protections, right now the session token it's too expose and any injected malicious JS code would be able to read that information |
cookie based auth expose us to other series of threats such as CSRF but we can also fix those if ever happen, we need to add layers of security |
e5bffb7
to
c2dff22
Compare
c2dff22
to
753dbd8
Compare
Almost every browser supports localStorage - Cookies are unnecessarily complicated - unless we are fixing something real. |
Also any injected JS cannot access localStorage because browsers make sure that new JS code is never able to read your application's localStorage. |
Ideally, we should be using https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage if we want to be paranoid about it. |
I'll take a look harsha |
But it's not only that, the fact that JS (our own code or a third-party library) can read our token its pretty scary, right now we are using cookies already because of websocket communication (websockets authentication works only via cookies as far as I know, @cesnietor can confirm that), so this PR will unify the session handling mechanism to use only cookies instead of cookies and authorization header. |
Understood |
- Added support for cookie authentication (authorization header will have priority) - Removed local storage token management from UI - cookie hardening (sameSite, httpOnly, secure) - login endpoint sets cookie via header, logout endpoint expires cookie - Refactor Routes and ProtectedRoutes components, improvement on the way application check if user session is valid Future improvements - look for all places in backend that returns 401 unauthorized, and destroy session there (not a priority since cookie its invalid anyway) - Downloading objects in object browser can be simplified since is just a GET request and users will be authenticated via Cookies, no need to craft additional requests
753dbd8
to
556512a
Compare
Future improvements