New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accounts: switch to AWS Cognito or SuperTokens? #107
Comments
Hi there - I've just noticed this issue chain. We've actually been working on an email verification system over the past couple of days, to integrate into fastapi users (based on the discussion in issue 106 in fastapi_users), and will be making a pull request shortly - not sure if this might affect your plans, so thought you may want to know (followed this from issue 102) @lefnire |
@mark-todd thanks for bumping! I did see activity on the email verification, that's fantastic. And Frankie re-opened the refresh token ticket fastapi-users/fastapi-users#350, which was actually a larger issue for this ticket - that's great! I'm still on the fence for all scenarios. Gnothi is insanely security-conscious, borderline bank-website security needs, because if users' journal entries got hacked that's very damaging. For this reason I considered Cognito for all the stuff I may not be considering (they're likely rotating secret keys for JWT signing; I only recently found out about refresh token stuff, and what else am I not considering). Built-in email verification, forgot-password, and 2FA (I'll need 2FA). Stuff like this. On the flip side, Cognito (and many other services) has been down in us-east-1 for the past what.. 24hrs? So I'm damn glad I didn't already make the switch. But yeah, I think this ticket could use some conversation.
|
Mark and I have submitted a PR to FastAPI-Users which implements a flow for user activation. It would be interesting to hear your thoughts in the conversation thread over there. |
That's fantastic, great job @eddsalkield! I'll subscribe to that PR |
7e34650 (and some prior commits) switch to Cognito. AWS Cognito has some bells/whistles (like Auth0, but I'm already using AWS for everything anyway) like forgot/reset password; logout other devices; MFA; prevent password-stuffing; etc. Ie, it's more secure and robust - vital given the subject matter. When I push the new version, users will be required to reset their password. You can use the same password as before, it's just that it's a new back-end and (a) Cognito doesn't allow importing passwords; (b) Gnothi DB's passwords are hashed anyway, so couldn't be migrated. |
Me handling of email verification, JWT refresh token, integrating Oauth providers (Google, Facebook, etc) is a really stupid idea. I don't want to be in charge of the security of that. Will close a few tickets on those points, referencing this as the way forward. I'll switch to AWS Cognito (since I'm on AWS); but there are other providers like Auth0. Tutorial
Update: consider open source Super Tokens instead. Benefit is it can use own database. 3rd-party dep yes, but managed within Docker cluster and full control. Likely less overhead/coupling, easier testing than Cognito
The text was updated successfully, but these errors were encountered: