Accounts: switch to AWS Cognito or SuperTokens?

[lefnire]

Me handling of email verification, JWT refresh token, integrating Oauth providers (Google, Facebook, etc) is a really stupid idea. I don't want to be in charge of the security of that. Will close a few tickets on those points, referencing this as the way forward. I'll switch to AWS Cognito (since I'm on AWS); but there are other providers like Auth0. Tutorial

• Switch to AWS Cognito
• Create some adapter class so users can develop their own integrations
• Keep old username/password code in as default adapter, unless env variable specifies to use Cognito. I won't bother maintaining the code, but it would be needed at least for test/localhost dev, and for people who don't want to host their own Gnothi on AWS (see Dynaconf & passwords: switch from yml/env-vars to more secure solution like AWS Secrets #94)
• Use refresh token & switch JWT storage from localStorage to httpOnly cookie. Tutorial, axios interceptor
  • More tutorials: medium, datacadamia, dev.to

---

Update: consider open source Super Tokens instead. Benefit is it can use own database. 3rd-party dep yes, but managed within Docker cluster and full control. Likely less overhead/coupling, easier testing than Cognito

• awaiting social login. Ticket, but don't think they're tracking progress there? See https://www.notion.so/Enabling-Single-sign-on-v3-2-4f76380943fe4ec4a284d47d9da7a57b

[mark-todd]

Hi there - I've just noticed this issue chain. We've actually been working on an email verification system over the past couple of days, to integrate into fastapi users (based on the discussion in issue 106 in fastapi_users), and will be making a pull request shortly - not sure if this might affect your plans, so thought you may want to know (followed this from issue 102) @lefnire

[lefnire]

@mark-todd thanks for bumping! I did see activity on the email verification, that's fantastic. And Frankie re-opened the refresh token ticket fastapi-users/fastapi-users#350, which was actually a larger issue for this ticket - that's great!

I'm still on the fence for all scenarios. Gnothi is insanely security-conscious, borderline bank-website security needs, because if users' journal entries got hacked that's very damaging. For this reason I considered Cognito for all the stuff I may not be considering (they're likely rotating secret keys for JWT signing; I only recently found out about refresh token stuff, and what else am I not considering). Built-in email verification, forgot-password, and 2FA (I'll need 2FA). Stuff like this. On the flip side, Cognito (and many other services) has been down in us-east-1 for the past what.. 24hrs? So I'm damn glad I didn't already make the switch. But yeah, I think this ticket could use some conversation.

1. fastapi-users. Pros: built into site; no single point of failure (as long as the server's distributed, per Cognito outage); easier testing & management. Cons: missing features (email verification, 2FA, refresh token); what vulnerabilities might be present that a dedicated product would be handling?
2. fastapi-jwt-auth. Pros: bit more security-flexible than fastapi-users (eg, refresh-token). Cons: more leg-work on the app side; fastapi-users sets up routes, tables, forgot-password, etc.
3. Cognito. Pros: presumably much more security-heavy (by default) than either the above (assuming rotation of signing keys, etc); feature-complete (2FA, emails, etc). Cons: single point of failure, harder to manage (accounts over there, user rows over here), harder to test.

[eddsalkield]

Mark and I have submitted a PR to FastAPI-Users which implements a flow for user activation. It would be interesting to hear your thoughts in the conversation thread over there.

[lefnire]

That's fantastic, great job @eddsalkield! I'll subscribe to that PR

[lefnire]

7e34650 (and some prior commits) switch to Cognito. AWS Cognito has some bells/whistles (like Auth0, but I'm already using AWS for everything anyway) like forgot/reset password; logout other devices; MFA; prevent password-stuffing; etc. Ie, it's more secure and robust - vital given the subject matter. When I push the new version, users will be required to reset their password. You can use the same password as before, it's just that it's a new back-end and (a) Cognito doesn't allow importing passwords; (b) Gnothi DB's passwords are hashed anyway, so couldn't be migrated.