Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Shashank Mehra
    @shashankmehra
    We could use db.Stats() to get the number of open connections and assert them at the end of every unit test. https://golang.org/pkg/database/sql/#DB.Stats
    I am going to try and switch to using NamedExec and change unit tests for this. If it solves my connection issue, I will send a PR.
    Shashank Mehra
    @shashankmehra
    I am still working on it, but I was able to change the tests to fail for postgres:
    shashankmehra/authn-server@df34bda
    Also found out why postgres code was written that way. It doesnt support LastReturnId: lib/pq#24
    Shashank Mehra
    @shashankmehra
    @cainlevy Pull Request: keratin/authn-server#60
    Unit tests are passing. I still have to test whether this resolves my connection leak issue.
    Shashank Mehra
    @shashankmehra
    I can confirm that with this change connection leaks on my infrastructure have stopped.
    Lance Ivy
    @cainlevy
    @shashankmehra v1.4.1 :tada:
    Shashank Mehra
    @shashankmehra
    :)
    Shashank Mehra
    @shashankmehra

    Hi @cainlevy
    I have to implement "Re-enter password" feature for some critical user actions in my product. For example in Github, if you are deleting a repo, it asks for a password again as a security measure. To implement such a feature in authn, here are my thoughts:
    1) Allow go-authn to extract iat as well as sub. iat is "issued at" for JWT.
    2) Use iat to determine if the token was generated before 5 mins ago (configurable). If it was, return 401 compelling frontend to pop up a password screen.
    3) New token is generated and the security critical request is sent again. This time iat check would pass.

    My concern is that if refresh token is used to request a new jwt, is iat refreshed? If that is the case then a malicious client can request a new token using refresh token without password. If this is the case do you have any ideas on how to implement such a feature?

    Thanks

    Shashank Mehra
    @shashankmehra
    From code I can see that iat cannot be used for this as it is reset to time.Now() on every refresh of the jwt. But auth_time is set at the start of the session and could be used for this. Can you think of any security issues this method might cause?
    Lance Ivy
    @cainlevy
    @shashankmehra +1 for auth_time. that was my best idea for that sort of feature as well, and i'm happy to see someone working with it!
    i don't anticipate any security issues. it should behave like a normal login with the normal security.
    would you let me know how this works in practice? i'd like to do a write-up for https://github.com/keratin/authn-server/blob/master/docs/README.md#other-guides.
    Lance Ivy
    @cainlevy
    @shashankmehra one difference i expect you'll run into is the logic necessary to hide the username field when they are unauthorized for this reason. if your backend returns the same error code for "not logged in" and "must re-verify", then the frontend will be responsible for determining which situation the user is currently in. depending on the details of your situation, this logic has a risk of being reused on the general logic screen.

    possible solutions include:

    1) backend returns a unique error code in this situation
    2) frontend can inspect auth_time to determine the cause
    3) frontend has different code paths in this event and can naturally show a different UX

    Shashank Mehra
    @shashankmehra

    Sorry for the late reply. I had to drop this feature for something more urgent. I am starting my work on this now and once we have something in production I will send you a brief description of our implementation.

    As for not being able to distinguish between "not logged in" and "must re-verify", since this restriction will apply to only some ajax calls, only those ajax calls will trigger a popup asking for password. We can even add a "Login again" link at the bottom of the popup, in case user wants to login with a different username. For our use case, I dont think this would matter.

    Other wise I think we would have to go with 401 with some flag in JSON response which tells the frontend the reason for the block.
    Shashank Mehra
    @shashankmehra
    PS: Putting auth_time in there was quite a foresight. Thanks for that
    Lance Ivy
    @cainlevy
    @shashankmehra added a short writeup for using auth_time: https://github.com/keratin/authn-server/blob/master/docs/guide-confirm-password.md
    i'll update this when you've had a chance to work through your own implementation
    Rohit Roy Chowdhury
    @roychowdhuryrohit-dev
    Hey there I have a noob question. Is Redis absolutely necessary for authn server and session storage ?
    Lance Ivy
    @cainlevy
    @roychowdhuryrohit-dev If you're using Sqlite for a database, then Redis is not necessary. That's fine for low traffic, I think.
    It's also possible to develop an adapter for other databases to do the session storage. Do you have one in mind?
    Rohit Roy Chowdhury
    @roychowdhuryrohit-dev
    @cainlevy I am using postgresql
    Rohit Roy Chowdhury
    @roychowdhuryrohit-dev
    Is sqlite preinstalled in the image ?
    Rohit Roy Chowdhury
    @roychowdhuryrohit-dev
    I am running into this error while running with postgesql "panic: NewRefreshTokenStore: unsupported driver: postgres". Does it support postgresql ?
    Rohit Roy Chowdhury
    @roychowdhuryrohit-dev
    Please refer to this issue keratin/authn-server#61
    Shashank Mehra
    @shashankmehra
    image.png
    Hi @cainlevy .... We have been running authn in production for a while, and it seems that there is a connection leak somewhere ... Looking further into it to find out where. The above is our graph of active connections to various databases. You can see that compared to our other services, authn constantly leaks connections until it uses up all the slots.
    Shashank Mehra
    @shashankmehra
    I just noticed that our fork has fallen behind yours and that there was a connection leak fix pushed in 1.4.1. Let me upgrade ... will let you know
    Lance Ivy
    @cainlevy
    PostgreSQL?
    Rohit Roy Chowdhury
    @roychowdhuryrohit-dev
    We have since chosen Firebase for our production.
    Nikita Hritsay
    @angrypie
    Hi there. Having trouble setting up a passwordless login. When I perform GET /session/token, my app is not receiving request, no errors in Authn logs. Any suggestions how I can debug this?
    Lance Ivy
    @cainlevy
    @angrypie would you mind sharing a part of your log file starting with GET /session/token and continuing for about 2 minutes? feel free to private message me a secret gist if that's more comfortable.
    the process that AuthN uses for delivering tokens involves retries that can delay seeing any errors in the log. more here: https://github.com/keratin/authn-server/blob/master/app/services/webhook_sender.go#L12-L19
    Nikita Hritsay
    @angrypie
    @cainlevy I checked the endpoint of my application, than I started the server, and made two requests to authn server (honestly, just not sure which one is correct). No logs to very end of recording.
    https://asciinema.org/a/h2lcaiS11JBkKBOLp0ZSF87Dy
    I have a strong feeling that I missed something 🤦🏻‍♂️ Do I need to register a user first?
    Lance Ivy
    @cainlevy
    @angrypie Oh! Yes that would be it!
    Feedback is welcome on this system. I can see how signup and login
    Ugh gitter mobile
    I can see how sign up and login might both follow a passwordless pattern. The complication, for AuthN, is that it can't be sure the username also acts as a method of contact (email).
    Lance Ivy
    @cainlevy
    Is there a place in the docs where you might have appreciated seeing the assumption about registration?
    Nikita Hritsay
    @angrypie
    For me it is 'Passwordless Logins', because I have started from there.
    However, what I should do with password on registration if my app doesn't use them?
    Nikita Hritsay
    @angrypie
    Could signup flow be the same as login?
    1. Initiate login/signup GET /session/token
    2. Send confirmation token and account_id to backend
    3. Backend sends email with confirmation token
    4. User obtain access token by using verification token POST /session/token
    Lance Ivy
    @cainlevy

    How does the backend know where to send the token in step 3?

    What if a user mistypes their email during login. Did they register someone else?

    One way to manage a passwordless signup process right now is with a randomly generated password on behalf of the user.

    Nikita Hritsay
    @angrypie

    How does the backend know where to send the token in step 3?

    In docs you have steps 6-7 in registration process, it's the same, backend needs user profile (email) to finish registration.
    It's much simpler if we have USERNAME_IS_EMAIL, so backend may retrieve username (email) from Authn.
    If usernameis not email than it's upon backend to decide by username how to deliver token (maybe it's not even email).

    Nikita Hritsay
    @angrypie

    What if a user mistypes their email during login. Did they register someone else?

    Yes, if this someone follows the confirmation link. It would be the same with tradition password system and email confirmation.

    Lance Ivy
    @cainlevy
    i've made revisions to the passwordless documentation: https://keratin.github.io/authn-server/#/guide-implementing_passwordless_logins
    Nikita Hritsay
    @angrypie
    🎉👍